Senate Hearing, 112TH Congress - The State of Online Consumer Privacy

S. HRG.
112302
THE STATE OF ONLINE CONSUMER PRIVACY
HEARING
BEFORE THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
MARCH 16, 2011
Printed for the use of the Committee on Commerce, Science, and Transportation
U.S. GOVERNMENT PRINTING OFFICE

WASHINGTON
73308 PDF
2012
For sale by the Superintendent of Documents, U.S. Government Printing Office

Internet: bookstore.gpo.gov Phone: toll free (866) 5121800; DC area (202) 5121800
Fax: (202) 5122104 Mail: Stop IDCC, Washington, DC 204020001
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00001
Fmt 5011
Sfmt 5011
S:\GPO\DOCS\73308.TXT
SCOM1
PsN: JACKIE
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
JOHN D. ROCKEFELLER IV, West Virginia, Chairman
DANIEL K. INOUYE, Hawaii
KAY BAILEY HUTCHISON, Texas, Ranking
JOHN F. KERRY, Massachusetts
OLYMPIA J. SNOWE, Maine
BARBARA BOXER, California
JOHN ENSIGN, Nevada
BILL NELSON, Florida
JIM DEMINT, South Carolina
JOHN THUNE, South Dakota
MARIA CANTWELL, Washington
ROGER F. WICKER, Mississippi
FRANK R. LAUTENBERG, New Jersey
JOHNNY ISAKSON, Georgia
MARK PRYOR, Arkansas
ROY BLUNT, Missouri
CLAIRE MCCASKILL, Missouri
AMY KLOBUCHAR, Minnesota
JOHN BOOZMAN, Arkansas
TOM UDALL, New Mexico
PATRICK J. TOOMEY, Pennsylvania
MARK WARNER, Virginia
MARCO RUBIO, Florida
MARK BEGICH, Alaska
KELLY AYOTTE, New Hampshire
ELLEN L. DONESKI, Staff Director
JAMES REID, Deputy Staff Director
BRUCE H. ANDREWS, General Counsel
ANN BEGEMAN, Republican Staff Director
BRIAN M. HENDRICKS, Republican General Counsel
(II)
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00002
Fmt 5904
Sfmt 5904
SCOM1
PsN: JACKIE
CONTENTS
Page
Hearing held on March 16, 2011 ............................................................................

Statement of Senator Pryor ....................................................................................
Prepared statement ..........................................................................................
Statement of Senator Kerry ....................................................................................
Statement of Senator Isakson .................................................................................
Statement of Senator McCaskill .............................................................................
Statement of Senator Klobuchar ............................................................................
1
1
2
3
6
29
31
WITNESSES
Hon. Jon D. Leibowitz, Chairman, Federal Trade Commission ..........................
Prepared statement of the Federal Trade Commission .................................
Hon. Lawrence E. Strickling, Assistant Secretary for Communications and
Information, National Telecommunications and Information Administration,
U.S. Department of Commerce ...........................................................................
Erich Andersen, Deputy General Counsel, Microsoft Corporation ......................
John Montgomery, Chief Operating Officer, North America, GroupM Interaction .....................................................................................................................
Ashkan Soltani, Independent Privacy Researcher and Consultant .....................
Barbara Lawler, Chief Privacy Officer, Intuit Inc. ...............................................
Christopher R. Calabrese, Legislative Counsel, American Civil Liberties
Union, Washington Legislative Office ................................................................
6
9
16
18
34
36
41
43
50
52
59
61
65
67
APPENDIX
Hon. Mark Begich, U.S. Senator from Alaska, prepared statement ...................
Response to written questions submitted to Hon. Jon D. Leibowitz by:
Hon. Mark Pryor ...............................................................................................
Hon. Kay Bailey Hutchison .............................................................................
Response to written questions submitted to Lawrence E. Strickling by:
Hon. Mark Pryor ...............................................................................................
Hon. Mark Begich .............................................................................................
Response to written questions submitted to John Montgomery by:
Response to written question submitted to Erich D. Andersen by:
Hon. John Ensign .............................................................................................
Response to written questions submitted to Barbara Lawler by:
Hon. Mark Pryor ...............................................................................................
Hon. Mark Begich .............................................................................................
Hon. John Ensign .............................................................................................
Response to written questions submitted to Christopher R. Calabrese by:
Hon. Mark Begich .............................................................................................
Comments on The State of Online Privacy by Adam Thierer, Senior Research Fellow, United States Senate, Committee on Commerce, Science,
and Transportation ..............................................................................................
85
85
87
89
90
90
92
92
93
94
94
96
96
98
(III)
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00003
Fmt 5904
Sfmt 5904
SCOM1
PsN: JACKIE
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00004
Fmt 5904
Sfmt 5904
SCOM1
PsN: JACKIE
THE STATE OF ONLINE CONSUMER PRIVACY

WEDNESDAY, MARCH 16, 2011
U.S. SENATE,
TRANSPORTATION,
Washington, DC.
The Committee met, pursuant to notice, at 10:05 a.m. in room
SR253, Russell Senate Office Building, Hon. Mark Pryor, presiding.
COMMITTEE
ON
COMMERCE, SCIENCE,
AND
OPENING STATEMENT OF HON. MARK PRYOR,

U.S. SENATOR FROM ARKANSAS
Senator PRYOR [presiding]. I will go ahead and call this to order.

I want to thank everyone for being here. And we have several witnesses today, and were going to have a great hearing. And I want
to thank everyone.
First, I want to thank the Commerce Committee staff for pulling
this hearing together. They really have pulled together an excellent
panel, two panels of witnesses.
One thing that Senator Kerry and I were just talking about is
the Senate is supposed to vote at 10:30. And based on Senate time,
we dont know if that means 10:30, 10:45, 11, whatever. But were
supposed to vote at 10:30. So at some point were going to have to
swap the gavel back and forth and race and vote and come back.
But well try to keep the hearing going during that time.
Also I know that Senator Kerry has really been a leader on this
type of legislation, looking at privacy concerns and has been working on a bill and so we would like to hear from him in just a few
moments on that.
What I thought I would do is just give a very brief statement.
And I know that Senator Hutchison is on the way and other Senators are on the way. We might dispense with the opening statements for all the Senators, if thats OK, except I thought I might
call on Senator Kerry for just a few moments to talk about his legislation and then go onto the panel. And once Senator Hutchison
shows up well certainly recognize her for her opening statement.
But let me just say that as we start today I want to welcome everyone to the Commerce Committees hearing on The State of Online Consumer Privacy. This is a very challenging endeavor. We
want to balance the free Internet, you know, the ability to access
free content and services for all users, with concerns that are
raised about users privacy and general information collection practices online.
So consumers can conduct research and read online newspapers.
They can write e-mails and respond to each other in real time.
(1)
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00005
Fmt 6633
Sfmt 6633
SCOM1
PsN: JACKIE
2
Some of them will be worried about how their information is being
collected online. Some of them may be willing to surrender some
information in exchange for the free content. Others dont have any
idea this is going on.
So this is a real challenge. As many good things as we can say
about the Internet and how it has really revolutionized information, and its been so great in so many ways, privacy is an area
that we need to keep focused on and try to balance these interests
and try to make sure that its a good place to be and a good place
to conduct business.
So our first panel is going to be the Federal Trade Commission
and the Department of Commerce.
Our second panel well hear from consumer advocates, technology
specialists and members of the business community. Their insights
and experience are valuable and very much appreciated.
I dont know if everyone knows the polling data, but recently
Common Sense Media published some results that said 85 percent
of parents say theyre more concerned about online privacy than
they were 5 years ago.
Seventy-five percent of parents dont think social networking
sites do a good job of protecting their childrens online privacy.
Ninety-one percent of parents think search engines and social
networking sites should not be able to share kids physical location
with other companies until parents give authorization.
So these are just a few of the issues that well hear about today.
And that as the Senate Commerce Committee and the Senate as
a whole and the Congress as a whole moves through this Congress
well try to work through these issues as best we can.
Again, Senator Hutchison is on the way. And well recognize her
in a few moments for her opening statement. But until she gets
here, Senator Kerry would you like to say a few words?
[The prepared statement of Senator Pryor follows:]
PREPARED STATEMENT
OF
HON. MARK PRYOR, U.S. SENATOR
FROM
ARKANSAS
Welcome to the Commerce Committees hearing on The State of Online Consumer Privacy.
Today we meet to discuss a challenging endeavor: how to balance a free Internetthe ability to access free content and services for all userswith concerns
raised about users privacy and general information collection practices online.
Consumers can conduct research and read online newspapers. They can write emails and respond to each other in real time. Some of them may be worried about
how their information is being collected online. Some of them may be willing to surrender some information in exchange for free content.
I look forward to listening to all sides to determine how best to negotiate these
perspectives: consumers privacy concerns with a desire to preserve a robust and
thriving Internet experience for all users.
First, well hear from the Federal Trade Commission and the Department of Commerce, both of which recently issued reports on consumer privacy and data security.
I look forward to examining their findings.
On the second panel, well hear from consumer advocates, technology specialists
and members of the business community. Their insights and experience are valuable
and appreciated.
While industry has dedicated much time to developing basic self-regulatory principles and their efforts are a great starting point, they alone have not eased peoples
concerns about the collection of their personal information from on-line sources. And
they will not, alone, prevent abuses from unscrupulous people and organizations.
This is particularly true when it comes to information collected on-line about kids.
The supporting statistics are clear. According to Common Sense Media:
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00006
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
3
85 percent of parents say they are more concerned about online privacy than
they were 5 years ago;
75 percent of parents dont think social networking sites do a good job of protecting childrens online privacy;
91 percent of parents think search engines and social networking sites should
not be able to share kids physical location with other companies until parents
give authorization.
The Federal Trade Commission stressed in its December staff report the importance of improving transparency and consumer choice in the online privacy arena.
Incomprehensible privacy policies and user agreements are out. Better disclosures, better consumer choice and improved safety features are in.
Of course, one of the most elusive challenges we face as a society is how to address the seemingly permanent nature of written comments and information shared
on the Internet. In other words, what will new kinds of information sharing mean
for our childrens futureand for their reputations?
Will they be discriminated against with insurers or future employers based on financial, health or personal data they disclosed online when they were teenagers
due to an assumption that the information they shared would be protectedor
based on an assumption that they were controlling who could see that information?
Is it clearly explained to them that when they download certain applications or
apps on their phones or computers, they may be allowing those apps to access
their personal informationor their specific geographic location at any point in
time?
Many people in their teens and twenties now may well opt to share this kind of
informationthinking that the privacy trade-offs are well worth itbut they should
go into those choices with their eyes open.
Behavioral advertising has transformed the advertising industry. That isnt going
to change. In fact, if anything, it will increase as more and more varied types of
retailers and services do business online.
However, theres an inherent trade-off between free online content and the sale
of personal information that keeps it free. We need to discuss the proper balance
and think about whether this trade-off will remain relevant into the future.
Finally, one of the most important questions and one Im focused on this year is
whether we should treat adults and children differently online and have different
requirements for the collection and dissemination of their information.
These questions will engage the attention of this Committee during the 112th
Congress and for a long time to come. I will be working over the coming months
in an effort to address several of these issues.
And nothing is off the table. I welcome the witnesses with us today and I look
forward to hearing their testimony.
STATEMENT OF HON. JOHN F. KERRY,

U.S. SENATOR FROM MASSACHUSETTS
Senator KERRY. Thank you, Mr. Chairman. I would like to just

for a sec.
First of all thanks for having this hearing with Senator Rockefeller, I know, wanted to be here, but was unable to be.
And thanks for your leadership and stewardship on these issues.
I must say I was impressed by the energy and amount ofwere
talking about the social network. It was a hell of a social network
in here before this hearing started.
[Laughter.]
Senator KERRY. A lot of chatter.
As we all know modern technology allows private entities to observe the activities and actions of Americans on a scale that is unimaginable. And theres no general law of commerce to govern that
surveillance. And thats why I intend, along with other colleagues,
to propose one, a commercial privacy bill of rights.
The purpose of the legislation, I want to emphasize, is not to discourage information sharing but rather to encourage it. But under
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00007
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
4
a common code of conduct that respects the rights of both the people sharing the information and the legitimate organizations collecting and using it on fair terms and conditions. I think the folks
that weve been working with, many of them here today in the industries, know that throughout my tenure on this Committee and
now as Chair of the Communications Subcommittee, I have worked
hard to protect the innovation and open architecture of the net.
Ive worked hard to fight for net neutrality. Ive worked hard to
prevent taxation and other things. So I believe in this now vital resource for our country in so many ways. But it is important to recognize that increasingly the American people have concerns and express those concerns.
Every single app that any one of us applies to our smartphone
or child applies to it is an observational opportunity for a private
company. And, amazingly, Internet users collectively sent 107 trillion, thats with a t, e-mail messages in 2010. Each of those messages is a scanable entity for key words that indicate the interests
or patterns of the people who send them.
Facebook started 2010 with 350 million users and ended it with
more than 600 million, almost all of which are sharing information
broadly whether they realize it or not. And the collection and use
of information offline from grocery stores to hotels to airlines has
also reached a record high enhancing the data businesses collect
online.
So on the positive side, all of this information sharing is generating enormous economic activity. And we like that. We want that.
And it encourages all kinds of innovation. And we want that.
But its also created new opportunities for unethical collectors of
information, unwilling to abide by fair information practice principles. And the question can be asked, why should they? Because,
you know, theres no law that requires that they do. That has understandably generated a lot of anxiety among Americans about
protecting their identity, protecting their personal information, protecting their habits. Protecting the choices that they make which
they think theyre making in the privacy of their relationship to
their keyboard and to their computer or to their phone or whatever
instrument theyre using, iPad, otherwise.
People have asked so whats the problem that this legislation
would seek to solve? Well under current law there are companies
today engaged in the practice of harvesting information from
websites and elsewhere and using and selling the information without the consent and/or notification or knowledge of the people to
whom that information pertains. There are also companies engaged
in the practice of using and collecting information that are not
building privacy into the design of their services and as a result
they lack the appropriate procedures and protections to ensure peoples information is secured and being treated fairly. Once a persons information is collected there are no legal restrictions on the
further distribution other than those that the collector chooses to
impose on themselves.
And lastly, Americans cannot today demand that someone who
has collected their information stop using it.
Each of these activities is a problem that Americans are asking
us to address. Now Ive long thought that baseline privacy protec-
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00008
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
5
tions in law were sort of a matter of common sense. And over the
last 6 months Ive reached out to our colleagues on both sides of
the aisle, to privacy experts at firms, in academia and to the advocacy community with one simple goalto figure out why we
havent reached a consensus on a national standard for the treatment of peoples information and what we can do to establish one.
And let me just say thank you to many of the people here today.
Theres been a very positive reaction to this, a concerted effort. The
Obama Administration, the Commerce Department, others are
working diligently to try to help mold this, shape it. And Ive been
impressed by the cooperative atmosphere within which everybody
is working.
Many of the companies that have rejected legislation in the past
have made massive investments in privacy protection for their own
customers and at their own firms. A fair share of them now have
Chief Privacy Officers, who care deeply about the issue. And
theyve spent a lot of time thinking about it.
These are serious people. Many of them here. Some of them will
testify today. And they believe peoples information is deserving of
respect and protection not just because it makes good business
sense to protect your customers but also because I believe they
think its the right thing to do. And its in keeping with a sort of
value system and ethic that we share here in America about individuality and privacy.
The entire goal of the drafting process that were using to write
a commercial privacy bill of rights is to win pro-privacy, pro-innovation experts over to the side of establishing a common code of
conduct so that their customers are not just protected when working with them, but generally protected in the course of commerce.
And I think we all benefit by that. I believe that gaining these allies will depend on our willingness to recognize and respect the obvious good that can come from appropriate collection and the use
of data while also allowing for experimentation and flexibility in
the implementation of privacy practices through the establishment
of safe harbor programs.
So we approach this with a real open mind. And I think people
will acknowledge a fair amount of reasonableness and flexibility.
But we cant let the status quo stand. We cant continue to allow
the collectors of peoples information to dictate the level of privacy
protection that Americans will get when they engage in commerce.
And we cant continue to let the firms that provide no protections,
provide misleading statements in some cases, about protection,
about a protection that they can change at will, at whim, at fancy
or allow them just to send the information along to others without
regard to where it goes or under what conditions that it goes there.
So myMr. Chairman, I hope were going to establish clear and
flexible rules for behavior in our legislation. And if not, I think everybody understands that enforcement agencies are going to step
up and react against unfair and/or deceptive practices with cases
that will be built sort of individually as you go along with less clear
direction than we could provide if we do this in a sensible, legislative way. If we dont act, the worlds largest markets will continue
to impose on our innovators their own rules for private e-protec-
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00009
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
6
tion. And I believe those rules could well wind up being less flexible and less innovative than what I will be proposing.
So I look forward to working with the witnesses here today. And
I thank you very much, Mr. Chairman, for allowing me to make
that statement.
Senator PRYOR. Thank you.
Senator Isakson?
STATEMENT OF HON. JOHNNY ISAKSON,
U.S. SENATOR FROM GEORGIA
Senator ISAKSON. Thank you, Mr. Chairman. Ill be brief but I

cant help but think as I was listening to Senator Kerry speak, I
ran a company for 22 years and we did about $1.2 million in advertising in various mediums to sell our product. And we would always pick the medium whether it was TV or radio or classified
newspaper or display in a magazine by trying to pick the medium
we thought the most people would be potential customers for our
product would actually go to. And that provided anonymity for the
potential customer and made me do a lot of thinking.
What the Internet has done and technology has done its allowed
that anonymous information that was subject to analysts and
guesses to become a potential commodity that could actually be
sold for purposes other than that determination. So I think its at
a very appropriate time that the Commerce Committee look at this,
because of the expanse of the Internet, the expanse of the information and what is taking place in the revolution that its brought to
American marketing.
So I look forward to being a part of the Committee, a part of the
work. And look forward to working with Senator Kerry, Senator
Pryor and the others on the Committee to find the right message
to send and the right road to go down.
Thank you, Mr. Chairman.
Now our first panel here both of these witnesses we have extraordinary bios and lists of accomplishments that we could discuss
and we will submit for the record.
But what Id like to do is just simply introduce them as the Honorable Jon D. Leibowitz, Chairman of the Federal Trade Commission.
And the Honorable Lawrence E. Strickling, the Administrator of
the National Telecommunications and Information Administration.
Chairman Leibowitz?
STATEMENT OF HON. JON D. LEIBOWITZ, CHAIRMAN,
FEDERAL TRADE COMMISSION
Mr. LEIBOWITZ. Thank you, Chairman Pryor. And Senator Kerry,

Senator Isakson and let me also mention Senator Rockefeller,
thank you for your leadership on privacy issues as well as for giving me the opportunity to be here with Larry Strickling from the
Department of Commerce. Our two agencies have a very long history of cooperation, and we are eager to build on that as we work
together to protect consumer privacy while ensuring business
growth and innovation.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00010
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
7
As you know, over the past several decades the FTC has protected privacy through law enforcement, through education and
through policy efforts. Just this week we announced our first major
enforcement effort aimed at abusive behavioral marketing practices. We charged the online advertising network Chitika with violating the FTC Act by offering consumers the ability to opt-out of
targeted advertising but without telling them that the opt-out vanished in 10 days.
That vanishing opt-out, a 10-day vanishing opt-out, is not only
wrong, it is unacceptable. Consumers deserve meaningful and not
illusory control over what companies do with their personal information. Chitika has agreed to an order that requires it to destroy
personal data it collected and provide an opt-out on all ads thats
effective for at least 5 years.
This case, and it is the first of many more privacy enforcement
cases youll see from us, should send a strong signal to the online
ad industry. The FTC will not tolerate attempts to subvert consumer choice. And overall we have brought well over 100 spam and
spyware cases and 30 data security cases over the last 10 years.
Turning to the policy front. As I heard in your opening statements recognizing the real benefits of information collection, the
status quo, as you said, Senator Kerry, isnt acceptable. We released a report on consumer privacy in December designed to reduce privacy burdens on both businesses and consumers alike
while ensuring business growth and continuing Internet innovation. The report made three primary recommendations.
First, companies need to bake in privacy protections like data security and accuracy into all of their activities. We call that privacy
by design.
Second, choices about privacy of personal data should be presented to consumers in a simple way, and at the time they are
making decisions about that data.
And third, transparency needs to be improved. Privacy notices
must be clearer, shorter and more standardized, otherwise no one
will read them. And indeed very few people actually do.
The comment period on the proposed new framework just closed
and we received 446 comments, which may be a record for us. And
we expect to issue a final report later this year.
To further the idea of simplifying choices for consumers, the report recommended a Do Not Track mechanism. Now while that
name sounds similar to our Do Not Call registry, which the government runs, were looking instead to the private sector to create a
way for consumers to choose whether to allow their Internet surfing to be monitored. Simply put you should have a choice, all of us
should have a choice about whether third parties, all invisible to
us, can trail us around the Internet as we shop or search for information about say, a medical diagnosis.
This goes back to your point about the deanonymization of information here and over the last 10 years when youre thinking about
the Internet. Do Not Track will give all Americans a choice about
whether to be followed online. More than that, when data is protected consumers will more readily trust companies in the marketplace and that encourages business growth and business innovation.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00011
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
8
Now stakeholders have responded very, very positively to our call
for Do Not Track. Two of the largest browser companies, Microsoft
and Mozilla, rolled out new mechanisms to allow consumers control
over the use of their personal information for online behavioral advertising. The industry has now demonstrated that Do Not Track
is feasible so the discussion turns to which approach is best.
One promising effort involves an industry coalition comprised of
media and ad marketing companies in an association known as the
Digital Advertising Alliance. The Alliance has developed an icon
which they hope will be deployed industry wide that will display
in targeted advertisements and link to more information and
choices. For my part, I still remain concerned that the current proposal wont result in a permanent opt-out for all ad networks. And
it doesnt allow consumers to control collection of their personal
data just the blocking of ads that go back to them.
But many of the Alliances members want to go further to protect
consumers. My understandingand actually its in todays Wall
Street Journal as wellis that theres a sort of insurgent group of
more than 30 companies that wants to prohibit most types of tracking and embrace the Mozilla header. And so were cautiously optimistic that the Alliance is moving in the right direction.
Mr. Chairman, I ask for unanimous consent for an additional
minute.
Senator PRYOR. Sure. Absolutely.
Mr. LEIBOWITZ. So from my perspective Im sort of agnostic as to
whether the private sector should implement Do Not Track or if
Congress should require it. I think sometimes its easier for the private sector to do it. But we do need to make sure that Do Not
Track isnt just an empty slogan but that it really works for the
American people.
There are five critical principles that we believe should be included in any robust, effective Do Not Track mechanism.
One, Do Not Track should be universal so the consumers dont
have to repeatedly make choices on a company by company basis.
Two, Do Not Track should be easy to find and easy to use.
Three, any choices offered should be persistent and should not be
deleted if for example, a consumer clears his or her cookies or
turns off a computer.
Four, Do Not Track should not only allow consumers to opt-out
of advertising, it should allow them to opt-out of tracking all together. And personally, from my perspective, I dont mind getting
targeted ads. I think theres a real benefit to that. But people ought
to be given a choice about whether or not they want to be tracked.
And finally, it should be effective and enforceable without technical loopholes.
We hope to continue to see the private sector develop tools that
meet these standards more broadly. Were hopeful that American
businesses will step up their efforts. And weve started to see them
protect consumer privacy by applying the consensus principles from
our report: privacy by design, transparency and consumer choice.
Working together with this Committee, and with the Department
of Commerce, we believe we can make that happen.
So I thank you for this hearing.
[The prepared statement of Mr. Leibowitz follows:]
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00012
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
9
PREPARED STATEMENT
OF THE
FEDERAL TRADE COMMISSION
Chairman Rockefeller, Ranking Member Hutchison, and members of the Committee, I am Jon Leibowitz, Chairman of the Federal Trade Commission (FTC or
Commission). I appreciate the opportunity to present the Commissions testimony
on privacy.1
Privacy has been an important component of the Commissions consumer protection mission for 40 years. During this time, the Commission has employed a variety
of strategies to protect consumer privacy, including law enforcement, regulation,
outreach to consumers and businesses, and policy initiatives.2
Over the years, the Commissions goal in the privacy arena has remained constant: to protect consumers personal information and ensure that they have the
confidence to take advantage of the many benefits offered by the dynamic and everchanging marketplace. To meet this objective, the Commission has periodically reexamined its approach to privacy to ensure that it keeps pace with advances in technology and changing business practices as well as to ensure that incentives for
American innovation are maintained. The latest effort in this process is a Preliminary FTC Staff Report, released in December, which proposes a framework for protecting consumer privacy in this era of rapid technological change. This proposed
framework is intended to inform policymakers, including Congress, as they develop
solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory
guidelines.
This testimony begins by describing the Commissions recent efforts to protect
consumer privacy through law enforcement, education, and policy initiatives. It then
sets forth some highlights from the Staff Report on consumer privacy, and concludes
with a discussion of issues related to a universal choice mechanism for behavioral
tracking, commonly referred to as Do Not Track.
I. The FTCs Efforts to Protect Consumer Privacy
A. Enforcement
The Commission continues to pursue an aggressive and bipartisan privacy enforcement agenda. In the last 15 years, it has brought 32 data security cases; 64
cases against companies for improperly calling consumers on the Do Not Call registry; 86 cases against companies for violating the Fair Credit Reporting Act
(FCRA); 3 97 spam cases; 15 spyware (or nuisance adware) cases; and 15 cases
against companies for violating the Childrens Online Privacy Protection Act
(COPPA). Where the FTC has authority to seek civil penalties, it has aggressively
done so. It has obtained $60 million in civil penalties in Do Not Call cases, $21 million in civil penalties under the FCRA, $5.7 million under the CANSPAM Act,4 and
$3.2 million under COPPA. Where the Commission does not have authority to seek
civil penalties, as in the data security and spyware areas, it has sought such authority from Congress. In addition, the Commission has brought numerous cases against
companies for violating the FTC Act by making deceptive claims about the privacy
protection they afford to the information they collect, which has the effect of undermining consumer choices on privacy. This testimony describes four such cases that
the Commission has brought within the past several months.
Just this week, the Commission announced its first online behavioral advertising
case against an online network advertiser, Chitika, that acts as an intermediary between website publishers and advertisers. The Commission alleged that Chitika violated the FTC Act by offering consumers the ability to opt-out of the collection of
information to be used for targeted advertisingwithout telling them that the optout lasted only 10 days.5 The Commissions order prohibits Chitika from making future privacy misrepresentations. It also requires Chitika to provide consumers with
an effective opt-out mechanism, link to this opt-out mechanism in its advertisements, and provide a notice on its website for consumers who may have opted out
1 This written statement represents the views of the Federal Trade Commission. Commissioner Kovacic dissents. His concerns about the Commissions testimony, and the report by its
staff, are set forth in his statement on the latter. In particular, he believes that the endorsement
of a Do Not Track mechanism by staff (in the report) and the Commission (in this testimony)
is premature. My oral presentation and responses are my own and do not necessarily reflect
the views of the Commission or of any other Commissioner.
2 Information on the FTCs privacy initiatives generally may be found at http://business.ftc.gov/privacy-and-security.
3 15 U.S.C. 1681ei.
4 15 U.S.C. 77017713.
5 Chitika, Inc., FTC File No. 102 3087 (Mar. 14, 2011) (consent order accepted for public comment).
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00013
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
10
when Chitikas opt-out mechanism was ineffective. Finally, the order requires
Chitika to destroy any data that can be associated with a consumer that it collected
during the time its opt-out mechanism was ineffective.
Second, earlier this month, the Commission approved a final consent order in a
case involving the social networking service Twitter.6 On one level, Twitter is a traditional data security casethe FTC charged that serious lapses in the companys
data security allowed hackers to obtain unauthorized administrative control of Twitter. As a result, hackers had access to private tweets and non-public user information and took over user accounts, including among others, those of President Obama
and Rupert Murdoch. On another level, the case stands for the proposition that social networking services must honor the commitments they make to keep their
users communications private. The order prohibits misrepresentations about the extent to which Twitter protects the privacy of communications, requires Twitter to
maintain reasonable security, and mandates independent, comprehensive audits of
Twitters security practices.7
Third, in December, the Commission announced a case against EchoMetrix, a
company selling a software program called Sentry Parental Controls that enables
parents to monitor their childrens activities online. The Commission alleged that
EchoMetrix sold certain information that it collected from children via this software
to third parties for marketing purposes, without telling parents. The Commissions
order prohibits the company from sharing information gathered from its monitoring
software and requires the company to destroy any such information in its database
of marketing information.8
Finally, in September, the Commission settled a case against U.S. Search, a data
broker that maintained an online service, which allowed consumers to search for information about others. The company allowed consumers to opt-out of having their
information appear in search results, for a fee of $10. Although 4,000 consumers
paid the fee and opted out, their personal information still appeared in search results. The Commissions settlement requires U.S. Search to disclose limitations on
its opt-out offer, and to provide refunds to consumers who had previously opted out.9
In addition to these privacy enforcement actions, the Commission has been aggressive on the data security front to ensure that companies protect the sensitive
data they collect about consumers. In February 2011, three companies that resell
consumers credit reports agreed to settle FTC charges that they did not take reasonable steps to protect consumers personal information, which allowed computer
hackers to access more than 1,800 credit reports via their clients computer networks. These are the first cases the FTC has brought against credit report resellers
for their failure to ensure that the companies to whom they provide consumer re6 Twitter, Inc., FTC File No. 092 3093 (Mar. 11, 2011) (consent order) (resolving allegations
that Twitter deceived its customers by failing to honor their choices to designate certain tweets
as private).
7 Many of the Commissions earliest consumer privacy cases similarly held companies accountable for their privacy statements and practices. See, e.g., GeoCities, Inc., FTC Docket No. C
3850 (Feb. 5, 1999) (consent order) (alleging that company misrepresented the purposes for
which it was collecting personal information from both children and adults); Liberty Fin. Cos.,
FTC Docket No. C3891 (Aug. 12, 1999) (consent order) (alleging that site falsely represented
that personal information collected from children, including information about family finances,
would be maintained anonymously); FTC v. ReverseAuction.com, Inc., No. 000032 (D.D.C. Jan.
10, 2000) (consent order) (alleging that online auctionsite obtained consumer data from competitor site and then sent deceptive, unsolicited e-mail messages to those consumers seeking their
business); FTC v. Toysmart.com LLC, 00CV11341RGS (D. Mass. filed July 10, 2000) (alleging site attempted to sell personal customer information, despite the representation in its privacy policy that such information would never be disclosed to a third party); FTC v. Rennert,
No. CVS000861JBR (D. Nev. July 24, 2000) (consent order) (alleging that defendants misrepresented their security practices and how they would use consumer information); Educ. Research Ctr. of Am., Inc.; Student Marketing Grp., Inc., FTC Docket No. C4079 (May 6, 2003)
(consent order) (alleging that personal data collected from students for educational purposes was
sold to commercial marketers); The Natl Research Ctr. for College & Univ. Admissions, FTC
Docket No. C4071 (Jun. 28, 2003) (consent order) (same); Gateway Learning Corp., FTC Docket
No. C4120 (Sept. 10, 2004) (consent order) (alleging that company rented customer information
to list brokers in violation of its privacy policy); Vision I Props., LLC, FTC Docket No. C4135
(Apr. 19, 2005) (consent order) (alleging that a service provider disclosed customer information
in violation of merchant privacy policies). Sears Holdings Mgmt. Corp., FTC Docket No. C4264
(Aug. 31, 2009) (consent order).
8 FTC v. Echometrix, Inc., No. CV105516 (E.D.N.Y. Nov. 30, 2010) (consent order).
9 US Search, Inc., FTC File No. 102 3131 (Sept. 22, 2010) (consent order accepted for public
comment).
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00014
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
11
ports maintain reasonable security.10 The Commission alleged that the resellers violated the FCRA, the Gramm-Leach-Bliley Safeguards Rule, and Section 5 of the
FTC Act. The consent orders bar the companies from violating these laws, require
them to implement comprehensive information security programs, and require them
to obtain independent audits, every other year for 20 years.
B. Consumer and Business Education
The FTC has done groundbreaking outreach to businesses and consumers in the
area of consumer privacy. For example, the Commissions well-known OnGuard Online website educates consumers about spam, spyware, phishing, peer-to-peer
(P2P) file sharing, social networking, laptop security, and identity theft.11 The
FTC has developed additional resources specifically for children, parents, and teachers to help children stay safe online. In response to the Broadband Data Improvement Act of 2008, the FTC produced the brochure Net Cetera: Chatting with Kids
About Being Online to give adults practical tips to help children navigate the online
world.12 The publication includes information about how parents should talk to children about online privacy, sexting, and cyberbullying. In less than 1 year, the Commission already has distributed more than 7 million copies of Net Cetera to schools
and communities nationwide. The Commission also offers specific guidance to young
people concerning certain types of Internet services, including, for example, social
networking and video and photo sharing.13
Most recently, the FTC released a consumer education publication on the safe use
of wi-fi hot spots.14 The publication, available on the FTC and Onguard Online
websites, explains that when using wireless networks, consumers should convey personal information only if it is encryptedeither through an encrypted website or a
secure network. The piece notes that an encrypted website is one whose URL begins
with https, rather than http; it further notes that in order to be secure, a WiFi network must be password-protected.
Business education is also an important priority for the FTC. For example, the
Commission developed a widely-distributed guide to help small and medium-sized
businesses implement appropriate data security for the personal information they
collect and maintain.15 The FTC also develops business education materials to respond to specific emerging issues, such as a recent brochure on security risks associated with P2P file-sharing software.16
C. Policy and Rulemaking Initiatives
The Commissions efforts with respect to privacy include public workshops and reports to examine the implications of new technologies on consumer privacy. For example, in November 2007, the Commission held a two-day Town Hall event to discuss the privacy implications of online behavioral advertising.17 Based upon the
Town Hall discussions, staff released for public comment a set of proposed principles
to encourage industry members to improve their behavioral advertising practices.18
Thereafter, in February 2009, staff released a report (OBA Report) setting forth
the following revised principles based on the comments received: (1) transparency
and consumer control; (2) reasonable security and limited retention for consumer
data; (3) affirmative express consent for material retroactive changes to privacy policies; and (4) affirmative express consent for the use of sensitive data.19
10 SettlementOne Credit Corp., File No. 082 3208; ACRAnet, Inc., File No. 092 3088; and
Fajilan and Associates, Inc., File No. 092 3089 (Feb. 3, 2011) (consent orders accepted for public
comment).
11 See http://www.onguardonline.gov/topics/social-networking-sites.aspx. Since its launch in
2005, OnGuard Online and its Spanish-language counterpart Alertaena Lnea have attracted
nearly 12 million unique visits.
12 See Press Release, FTC, OnGuardOnline.gov Off to a Fast Start with Online Child Safety
Campaign (Mar. 31, 2010), available at http://www.ftc.gov/opa/2010/03/netcetera.shtm.
13 See
http://www.onguardonline.gov/topics/social-networking-sites.aspx;
http://www.on
guardonline.gov/topics/net-cetera-mobile-phones.aspx.
14 See http://www.onguardonline.gov/topics/hotspots.aspx.
15 See Protecting Personal Information: A Guide For Business, available at http://www.ftc
.gov/infosecurity.
16 See generally http://business.ftc.gov/privacy-and-security.
17 FTC Town Hall, Ehavioral Advertising: Tracking, Targeting, & Technology (Nov.12, 2007),
available at http://www.ftc.gov/bcp/workshops/ehavioral/index.shtml.
18 See FTC Staff, Online Behavioral Advertising: Moving the Discussion Forward to Possible
Self-Regulatory Principles (Dec. 20, 2007), available at http://www.ftc.gov/os/2007/12/
P859900stmt.pdf.
19 See FTC Staff Report: Self-Regulatory Principles For Online Behavioral Advertising (Feb.
2009), available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf, at 3337, 46.
Continued
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00015
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
12
The Commission also reviews its rules periodically to ensure that they are appropriately updated in light of changes in the marketplace. For example, the Commission is currently reviewing its rule implementing the COPPA and anticipates completing that review in the coming months.20
II. Privacy Roundtables and Report
The Commission also recently conducted a series of public roundtables on consumer privacy,21 which took place in December 2009, and January and March 2010.
The roundtables served to explore the effectiveness of current privacy approaches
in addressing the challenges of the rapidly evolving market for consumer information, including consideration of the risks and benefits of consumer information collection and use; consumer expectations surrounding various information management practices; and the adequacy of existing legal and self-regulatory regimes to address privacy interests. Staff issued a preliminary privacy report in December
2010,22 which discusses the major themes that emerged from these roundtables, including the ubiquitous collection and use of consumer data; consumers lack of understanding and ability to make informed choices about the collection and use of
their data; the importance of privacy to many consumers; the significant benefits enabled by the increasing flow of information; and the blurring of the distinction between personally identifiable information and supposedly anonymous or de-identified information.23
At the roundtables, stakeholders across the board emphasized the need to improve
the transparency of businesses data practices, simplify the ability of consumers to
exercise choices about how their information is collected and used, and ensure that
businesses take privacy-protective measures as they develop and implement systems
that involve consumer information. At the same time, the roundtable commenters
and participants urged regulators to be cautious about restricting the exchange and
use of consumer data in order to preserve the substantial consumer benefits made
possible through the flow of information. Based on these comments, the preliminary
staff privacy report proposed a new framework to guide policymakers and industry
as they consider further steps to improve consumer privacy protection.
A. The Proposed Framework
The proposed framework included three main concepts. First, FTC staff proposed
that companies should adopt a privacy by design approach by building privacy protections into their everyday business practices. Such protections include providing
reasonable security for consumer data, collecting only the data needed for a specific
business purpose, retaining data only as long as necessary to fulfill that purpose,
safely disposing of data no longer in use, and implementing reasonable procedures
to promote data accuracy. Companies also should implement and enforce procedurally sound privacy practices throughout their organizations, including, for example, assigning personnel to oversee privacy issues, training employees on privacy
issues, and conducting privacy reviews when developing new products and services.
Such concepts are not new, but the time has come for industry to implement them
systematically. Implementation can be scaled, however, to each companys business
operations. For example, the Staff Report recommended that companies that collect
and use small amounts of nonsensitive consumer data should not have to devote the
same level of resources to implementing privacy programs as companies that collect
vast amounts of consumer data or data of a sensitive nature.
Second, the Commission staff proposed that companies provide simpler and more
streamlined choices to consumers about their data practices. Under this approach,
consumer choice would not be necessary for a limited set of commonly accepted
data practices, thus allowing clearer, more meaningful choice with respect to practices of greater concern. This component of the proposed framework reflects the concept that consumers reasonably expect companies to engage in certain practices
The revisions primarily concerned the principles scope and application to specific business models. Id. at 2030.
20 See http://business.ftc.gov/documents/coppa-rulemaking-and-rule-reviews; Request for Public Comment on the Federal Trade Commissions Implementation of the Childrens Online Privacy Protection Rule, 17 Fed. Reg. 17089 (Apr. 5, 2010), available at http://www.ftc.gov/os/
fedreg/2010/april/P104503coppa-rule.pdf.
21 See Press Release, FTC, FTC to Host Public Roundtables to Address Evolving Privacy
Issues (Sept. 15, 2009), available at http://www.ftc.gov/opa/2009/09/privacyrt.shtm.
22 See A Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era of Rapid
Change: A Proposed Framework for Businesses and Policymakers (Dec. 1, 2010), available at
http://www.ftc.gov/os/2010/12/101201privacyreport.pdf. Commissioners Kovacic and Rosch
issued concurring statements available at http://www.ftc.gov/os/2010/12/101201privacy
report.pdf at Appendix D and Appendix E, respectively.
23 Id. at 2238.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00016
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
13
namely, product and service fulfillment, internal operations such as assessing the
quality of services offered, fraud prevention, legal compliance, and first-party marketing. Some of these practices, such as a retailers collection of a consumers address solely to deliver a product the consumer ordered, are obvious from the context
of the transaction, and therefore, consumers consent to them can be inferred. Others are sufficiently accepted or necessary for public policy reasons that companies
need not request consent to engage in them. The Staff Report suggested that by
clarifying those practices for which consumer consent is unnecessary, companies will
be able to streamline their communications with consumers, which will reduce the
burden and confusion on consumers and businesses alike.
For data practices that are not commonly accepted, consumers should have the
ability to make informed and meaningful choices. To be most effective, choices
should be clearly and concisely described and offered at a time and in a context in
which the consumer is making a decision about his or her data. Depending upon
the particular business model, this may entail a just-in-time approach, in which
the company seeks consent at the point a consumer enters his personal data or before he accepts a product or service. One way to facilitate consumer choice is to provide it in a uniform and comprehensive way. Such an approach has been proposed
for behavioral advertising, whereby consumers would be able to choose whether to
allow the collection and use of data regarding their online searching and browsing
activities. This idea is discussed further below.
Third, the Staff Report proposed a number of measures that companies should
take to make their data practices more transparent to consumers. For instance, in
addition to providing the contextual disclosures described above, companies should
improve their privacy notices so that consumers, advocacy groups, regulators, and
others can compare data practices and choices across companies, thus promoting
competition among companies. The staff also proposed providing consumers with
reasonable access to the data that companies maintain about them, particularly for
non-consumer-facing entities such as data brokers. Because of the significant costs
associated with access, the Staff Report noted that the extent of access should be
proportional to both the sensitivity of the data and its intended use. In addition,
the Staff Report stated that companies must provide prominent disclosures and obtain affirmative consent before using data in a materially different manner than
claimed when the data was collected.
Finally, the Staff Report proposed that stakeholders undertake a broad effort to
educate consumers about commercial data practices and the choices available to
them. Increasing consumer understanding of the commercial collection and use of
their information is important to both empowering consumers to make informed
choices regarding their privacy and facilitating competition on privacy across companies. In addition to proposing these broad principles, the staff sought comment from
all interested parties to help guide further development and refinement of the proposed framework through February 18, 2011. Close to 450 comments were received
and staff expects to issue a final report this year.
B. Do Not Track
As noted above, the Staff Report included a recommendation to implement a universal choice mechanism for behavioral tracking, including behavioral advertising,
often referred to as Do Not Track. 24 Although behavioral tracking benefits consumers by helping support online content and services and allowing personalized
advertising that many consumers value, the practice remains largely invisible to
most consumers. Some surveys 25 show that certain consumers who are aware of the
practice are uncomfortable with it.26 A recent USA Today/Gallup poll found that 47
24 See FTC Staff Report, supra note 22. See also Rosch concurring statement, id., in which
Commissioner Rosch supported a Do Not Track mechanism only if it were technically feasible
and implemented in a fashion that provides informed consumer choice regarding all the attributes of such a mechanism. To clarify, Commissioner Rosch continues to believe that a variety
of questions need to be answered prior to the endorsement of any particular Do Not Track mechanism.
25 Consumer survey evidence, by itself, has limitations. For instance, the way questions are
presented may affect survey results. Also, while survey evidence may reveal a consumers stated
attitudes about privacy, survey evidence does not necessarily reveal what actions a consumer
will take in real-world situations. The Commission does not endorse the reliability or methodology of any surveys discussed herein.
26 See, e.g., Transcript of December 7, 2009, FTC Privacy Roundtable, Remarks of Alan Westin
of Columbia University, at 9394, available at http://www.ftc.gov/bcp/workshops/privacy
roundtables/PrivacyRoundtablelDec2009lTranscript.pdf; Written Comment of Berkeley Center
for Law & Technology, Americans Reject Tailored Advertising and Three Activities that Enable
Continued
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00017
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
14
percent of consumers would like to choose which advertisers may deliver them targeted advertisements and 37 percent would like to receive no targeted advertisements at all.27 In another poll, 80 percent of consumers supported a Do Not Track
option.28 In addition, according to a recent Wall Street Journal article, because of
concerns that third-party tracking may be intrusive, some websites are increasing
their scrutiny of such third-party tracking on their sites.29
In light of the concerns expressed about online tracking, the Staff Report recommended a Do Not Track mechanism. A robust, effective Do Not Track system
would ensure that consumers can opt-out once, rather than having to exercise
choices on a company-by-company or transaction-by-transaction basis. Such a universal mechanism could be accomplished through legislation or potentially through
robust, enforceable self-regulation.
The FTC repeatedly has called on stakeholders to develop and implement better
tools to allow consumers to control the collection and use of their online browsing
data.30 Industry participants have begun to respond to this call. Two major browser
vendors, Microsoft and Mozilla, have recently announced the development of new
choice mechanisms for online behavioral advertising that seek to provide increased
transparency, greater consumer control, and improved ease of use.31 Just as important, the World Wide Web Consortium (W3C) has accepted a submission by Microsoft to consider a technical standard for a universal choice mechanism.The W3C announced an April 2011 workshop to begin the public dialogue with relevant stakeholders regarding how to incorporate do not track preferences into Internet browsing so websites can respect a users preference not to be tracked.32 Finally, just last
week, Stanfords Center for Internet and Society and Mozilla jointly submitted a
proposal to the Internet Engineering Task Force outlining a header-based Do Not
Track mechanism and discussing how web services should respond to such a mechanism.33
The online advertising industry has also made progress in this area. For example,
an industry coalition comprised of media and marketing associations, known as the
Digital Advertising Alliance, has developed self-regulatory guidelines and an opt-out
mechanism for behavioral advertising.34 The coalition has developed an icon to display in or near targeted advertisements that links to more information and choices
It, cmt. #54450600113, available at http://www.ftc.gov/os/comments/privacyroundtable/
54450600113.pdf; Written Comment of Craig Wills, Personalized Approach to Web Privacy
Awareness, Attitudes and Actions, cmt. #54450600119, available at http://www.ftc.gov/os/comments/privacyroundtable/544506-00119.pdf; Written Comment of Alan Westin, How Online
Users Feel About Behavioral Marketing and How Adoption of Privacy and Security Policies
Could Affect Their Feelings, cmt. #54450600052, available at http://www.ftc.gov/os/comments/privacyroundtable/544506-00052.pdf; see also Poll: Consumers Concerned About Internet
Privacy, Consumers Union, available at http://www.consumersunion.org/pub/coreltele
comlandlutilities/006189.html.
27 See U.S. Internet Users Ready to Limit Online Tracking for Ads (Dec. 21, 2010), available
at http://www.gallup.com/poll/145337/internet-users-ready-limit-online-tracking-ads.aspx.
28 See News Release, Consumer Watchdog, Americans Favor Broad Range Of Online Privacy
Protections for Consumers (Jul. 27, 2010), available at http://www.consumerwatchdog.org/
newsrelease/consumer-watchdog-poll-finds-concern-about-g oogles-wi-spy-snooping.
29 Jessica Vascellaro, Websites Rein in Tracking Tools, WALL ST. J., Nov. 9, 2010, available
at http://online.wsj.com/article/SB10001424052748703957804575602730678670278.html.
30 See e.g., Do Not Track: Hearing before the Subcomm. On Commerce, Trade and Consumer
Prot. of the H. Comm. On Energy and Commerce, 111th Cong. (Dec. 2, 2010), available at
http://www.ftc.gov/os/testimony/101202donottrack.pdf (prepared statement of the FTC, Commissioner Kovacic dissenting).
31 See Press Release, Microsoft, Providing Windows Customers with More Choice and Control
of Their Privacy Online with Internet Explorer 9 (Dec. 7, 2010), available at http://www
.microsoft.com/presspass/features/2010/dec10/12-07ie9privacyqa.mspx; Mozilla Blog, Mozilla
Firefox 4 Beta, now including Do Not Track capabilities, http://blog.mozilla.com/blog/2011/
02/08/mozilla-firefox4-beta-now-including-do-not-track-cap abilities/ (Feb. 8, 2011).
32 See W3C Blog, Do Not Track at W3C, http://www.w3.org/QA/2011/02/dolnotl
tracklatlw3c.html (Feb. 24, 2011).
33 See Do Not Track: A Universal Third-Party Web Tracking Opt Out (Mar. 7, 2011), available
at http://tools.ietf.org/html/draft-mayer-do-not-track00; see also http://firstpersoncookie.word
press.com/2011/03/09/mozilla-makes-joint-submission-to-ietf-on-d nt/.
34 See Press Release, Interactive Advertising Bureau, Major Marketing Media Trade Groups
Launch Program to Give Consumers Enhanced Control over Collection and Use of Web Viewing
Data for Online Behavioral Advertising (Oct. 4, 2010), available at http://www.iab.net/
aboutltheliab/recentlpresslreleases/presslreleaselarchive/presslrelease/pr100410;
Tony Romm and Kim Hart, Political Intel: FTC Chairman on Self-Regulatory Ad Effort, POLITICO Forums, http://dyn.politico.com/members/forums/thread.cfm?catid=24&subcatid=78&
threadid=4611665 (Oct. 11, 2010).
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00018
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
15
and has pledged to implement this effort industry-wide.35 The coalition reports that
adoption of the icon and simplified disclosures grew dramatically at the end of last
year.36 In addition, Google has developed a browser add-on that can be used to block
targeted advertisements from companies that participate in the Digital Advertising
Alliance.37
These recent industry efforts to improve consumer control are promising, but they
are still in the embryonic stage, and their effectiveness remains to be seen. As industry continues to explore technical options and implement self-regulatory programs, and Congress continues to examine Do Not Track, several issues should be
considered. First, any Do Not Track system should be implemented universally, so
that consumers do not have to repeatedly opt-out of tracking on different sites. Second, the choice mechanism should be easy to find, easy to understand, and easy to
use. Third, any choices offered should be persistent and should not be deleted if,
for example, consumers clear their cookies or update their browsers. Fourth, a Do
Not Track system should be comprehensive, effective, and enforceable. It should opt
consumers out of behavioral tracking through any means and not permit technical
loopholes.38
Finally, it is important to emphasize what is meant by tracking as stakeholders
continue to consider Do Not Track approaches. Consumers certainly may want to
opt-out of more than targeted advertisingthey may want to opt-out of the creation
and use of behavioral profiles for any secondary purposes. For example, they may
want to be sure that their browsing behavior is not used to make employment or
insurance decisions about them. They may also want to opt-out of having their
browsing behavior sold to data brokers for unspecified future uses. At the same
time, no system that allows for unrestricted web browsing can or should prohibit
information collection entirely. As noted the Staff Report, information collection is
necessary for fraud prevention and other commonly accepted practices, such as capping the number of times a consumer sees a particular advertisement. The limited
nature of that collection, however, is qualitatively different from the collection of information to track and profile consumers as they browse the web. Given these considerations, an effective Do Not Track system would go beyond simply opting consumers out of receiving targeted advertisements; it would opt them out of collection
of behavioral data for all purposes that are not commonly accepted.
Commission staff will monitor further industry innovation in this area, which may
build upon existing industry initiatives and incorporate elements of the different
mechanisms being proposed today.
III. Conclusion
Thank you for the opportunity to provide the Commissions views. We look forward to continuing this important dialogue with Congress and this Committee.
Senator PRYOR. Mr. Strickling?

35 The coalition has stated that providing consumers with choices about online advertising is
essential to building the trust necessary for the marketplace to grow. See Interactive Advertising
Bureau, supra note 34.
36 See Written Comment of the Direct Marketing Assoc. Responding to Preliminary Staff Report, cmt. #00449, at 21.
37 See Google Chrome Web Store, Keep My Opt-Outs, available at https://chrome.google.com/
webstore/detail/hhnjdplhmcnkiecampfdgfjilccfpfoe; see also Google Public Policy Blog, Keep your
opt-outs http://googlepublicpolicy.blogspot.com/2011/01/keep-your-opt-outs.html (Jan. 24,
2011).
38 For example, consumers may believe they have opted out of tracking if they block thirdparty cookies on their browsers; yet they may still be tracked through Flash cookies or other
mechanisms.
A Flash cookie, or a Flash local shared object, is a data file that is stored on a consumers
computer by a website that uses Adobes Flash player technology. Like a regular http cookie,
a Flash cookie can store information about a consumers online activities. Unlike regular cookies, Flash cookies are stored in an area not controlled by the browser. Thus, when a consumer
deletes or clears the cookies from his browser using tools provided through the browser, this
may not delete Flash cookies stored on his computer.
Recently, a researcher released a software tool that demonstrates several technical mechanisms in addition to Flash cookies that websites can use to persistently track consumers, even
if they have attempted to prevent such tracking through existing tools. See http://samy.pl/
evercookie; see also Tanzina Vega, New Web Code Draws Concerns Over Privacy Risks, THE NEW
YORK TIMES, Oct. 10, 2010, available at http://www.nytimes.com/2010/10/11/business/media/
11privacy.html.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00019
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
16
STATEMENT OF HON. LAWRENCE E. STRICKLING, ASSISTANT
SECRETARY FOR COMMUNICATIONS AND INFORMATION,
NATIONAL TELECOMMUNICATIONS AND INFORMATION
ADMINISTRATION, U.S. DEPARTMENT OF COMMERCE
Mr. STRICKLING. Thank you, Chairman Pryor, Senators Kerry

and Isakson. Its a pleasure to be here today to testify on behalf
of the Department of Commerce to discuss the state of online consumer privacy. And I welcome the opportunity to discuss how we
can better protect consumer data privacy in this rapidly evolving
Internet economy. And in doing so Im quite pleased to testify here
today with Chairman Jon Leibowitz of the Federal Trade Commission.
As the principal advisor to the President on communications and
information policy, the NTIA has been hard at work over the last
2 years with Secretary Lockes Internet Policy Task Force, Department of Commerce General Counsel Cam Kerry, and colleagues
throughout the Executive Branch, to conduct a broad assessment
of how well our current policy framework for consumer data is
serving consumers, businesses and other participants in the Internet economy.
I would also like to thank, in particular, the Federal Trade Commission for its collaboration with us and its leadership over the
years in addressing this important issue.
To guide the overall agenda of the Internet Policy Task Force,
which includes issues in addition to privacy, we have focused on
two key principles.
The first is the idea of trust. Its imperative for the sustainability
and continued growth of the Internet that we preserve the trust of
all actors on the Internet. And nowhere is this clearer than in the
context of consumer privacy. If users do not trust that their personal information is safe on the Internet theyll be reluctant to
adopt new services.
Our second principle is that we want to encourage multi-stakeholder processes to address key Internet issues. We want stakeholders to come together to deal with these issues in ways that display the flexibility, speed and efficiency that often are lacking with
more traditional regulatory responses.
These two principles inform the new framework for addressing
online privacy that the Department proposed in its privacy Green
Paper last December. The key elements of this framework include
the following:
First, we recommended the establishment of a set of Fair Information Practice Principles as the foundation for the protection of
consumer privacy in the Internet economy. These principles will set
a baseline of consistent, comprehensible data privacy protection in
new and established commercial contexts.
Second, to promote flexibility and speed to address privacy issues
as they arise, the Green Paper recommended that the Department engage actively with industry and consumer groups to develop enforceable codes of conduct.
And third, consistent with the FTCs existing enforcement role in
the protection of privacy, the Green Paper recommends strengthening the Commissions authority to enforce these baseline privacy
principles.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00020
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
17
We received roughly 100 comments on the Green Paper and we
are working hard to prepare a final document later this spring as
a statement of Administration policy in this area. But, as we have
reviewed the comments and we continued our discussions, I can report today that the Administration now recommends that Congress
enact legislation to provide a firm legal foundation supporting specific aspects of this new policy.
We specifically recommend that any legislation to provide a
stronger statutory framework to protect consumer privacy should
contain three key elements.
First, it should create baseline consumer data privacy protectionsas Senator Kerry referred to it, a consumer bill of rights
that are enforceable at law. Specifically, we support making a comprehensive set of FIPPs the basis of this law. This set of agreedupon principles would provide clear privacy protections for personal
data in the commercial context in which existing privacy laws do
not apply or offer adequate protection.
Second, legislation should provide the FTC with the authority to
enforce any baseline protections. Granting the FTC explicit authority to enforce baseline privacy principles will strengthen its role in
consumer data privacy protection and enforcement, resulting in
better protection for consumers.
Third, legislation should create a framework that provides incentives for the development of enforceable codes of conduct as well as
continued innovation around privacy protections. These codes can
allow industry and government to adapt rapidly to a fast evolving
online marketplace. And one incentive we urge Congress to consider is to give the FTC the authority to offer a safe harbor for
companies that implement codes of conduct that are consistent
with the baseline protections.
This statutory framework is designed to be flexible, to keep its
requirements well-tailored, and to provide a basis for greater interoperability with other countries privacy laws.
Working together with Congress, the FTC, the Executive Office
of the President and other stakeholders, I am confident in our ability to provide consumers with meaningful privacy protections in the
Internet economy, backed by effective enforcement that could adapt
to changes in technology, market conditions, and consumer expectations. Establishing and maintaining this dynamic consumer data
privacy framework is not a one shot game, and it will require the
ongoing engagement of all stakeholders. The Department and the
Administration are firmly committed to that engagement.
With or without legislation, the Department and NTIA will continue to make consumer data privacy a top priority. We will convene Internet stakeholders to discuss how best to encourage the development of privacy codes of conduct. The Department will support the Administrations efforts to encourage global interoperability by stepping up our engagement in international policymaking bodies. And we will continue to work with Congress and all
other stakeholders to develop consensus on reforms to our consumer data privacy policy framework.
I look forward to working with this Committee on this important
issue, starting with answering any questions you have for me
today. Thank you.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00021
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
18
[The prepared statement of Mr. Strickling follows:]
PREPARED STATEMENT OF HON. LAWRENCE E. STRICKLING, ASSISTANT SECRETARY
FOR COMMUNICATIONS AND INFORMATION, NATIONAL TELECOMMUNICATIONS AND
INFORMATION ADMINISTRATION, U.S. DEPARTMENT OF COMMERCE
I. Introduction
Chairman Rockefeller, Ranking Member Hutchison, distinguished Committee
Members, thank you for the opportunity to testify on behalf of the Department of
Commerce (Department) to discuss Internet privacy policy reform. I welcome the
opportunity to discuss how we can better protect consumer data privacy in the rapidly evolving Internet Age. In doing so, I am pleased to testify here today with Jonathan Leibowitz, the Chairman of the Federal Trade Commission (FTC).
As the principal advisor to the President on communications and information policy, the National Telecommunications and Information Administration (NTIA) has
been hard at work over the last 2 years with Secretary Lockes Internet Policy Task
Force and colleagues throughout the Executive Branch to conduct a broad assessment of how well our current consumer data privacy policy framework serves consumers, businesses, and other participants in the Internet economy. Over the same
period of time, the Internet Policy Task Force has engaged, formally and informally,
with a broad array of stakeholders, including companies, consumer advocates, academic privacy experts, and other government agencies. We identified privacy as a
key issue in strengthening consumer trust, which, in turn, is critical to realizing the
full potential for innovation and growth of the Internet. Our work culminated in the
release of the Task Forces Green Paper on consumer data privacy in the Internet
economy on December 16, 2010. The Green Paper made ten separate recommendations about how to strengthen consumer data privacy protections in ways that also
promote innovation, but it also brought to light many additional questions.
We sought public comment on these recommendations, and we have been busy
considering the roughly 100 written responses that were filed. One general conclusion to be drawn from the comments is that the commenters believe that American
consumers should have stronger privacy protections, and the companies that run
our Internet economy should have clearer rules of the road to guide their uses of
data about consumers.
II. Stakeholders Perspectives on Our Current Consumer Data Privacy
Framework
The Internet economy is sparking tremendous innovation. During the past fifteen
years, networked information technologiespersonal computers, mobile phones,
wireless connections and other deviceshave been transforming our social, political
and economic landscape. A decade ago, going online meant accessing the Internet
on a computer in your home. Today,going online includes smartphones, portable
games, and interactive TVs, with numerous companies developing global computing
platforms in the cloud.
The Internet is also an essential platform for economic growth, both domestically
and globally. Almost any transaction you can think of is being conducted online
from consumers paying their utility bills and people purchasing books, movies and
clothes, to major corporations paying their vendors and selling to their customers.
According to the U.S. Census Bureau, domestic online transactions currently total
about $3.7 trillion annually.1 Internet commerce is a leading source of job growth
as well, with the number of domestic IT jobs growing by 26 percent from 1998 to
2008, four times faster than U.S. employment as a whole.2 By 2018, IT employment
is expected to grow by another 22 percent.3
As powerful and exciting as these developments are, they also raise new privacy
issues. The large-scale collection, analysis, and storage of personal information is becoming more central to the Internet economy. These activities help to make the online economy more efficient and companies more responsive to their customer needs.
Yet these same practices also give rise to growing unease among consumers, who
are unsure about how data about their activities and transactions are collected,
used, and stored.4 A basic element of our current consumer data privacy framework
1 U.S. Census Bureau, Commerce Department, E-Stats, May 27, 2010, available at http://
www.census.gov/econ/estats/2008/2008reportfinal.pdf.
2 Commerce Secretary Gary Locke, Remarks on Cybersecurity and Innovation, Georgetown
University, Washington, D.C. (September 23, 2010).
3 Id.
4 According to a recent survey, 83 percent of adults say they are more concerned about online
privacy than they were 5 years ago. Common Sense Media, Online Privacy: What Does It Mean
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00022
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
19
is the privacy policy. As we mentioned in the Green Paper, these lengthy, dense,
and legalistic documents do not appear to be effective in informing consumers of
their online privacy choices. Surveys show that most Americans incorrectly believe
that a website that has an online privacy policy is prohibited from selling personal
information it collects from customers.5 In addition, many consumers believe that
having a privacy policy guarantees strong privacy rights, which is not necessarily
the case.6
The difficulty of understanding a single privacy policy, however, is modest when
compared to the problem of comprehending how personal data flows in todays online environment. A recent study found that 36 of the 50 most-visited websites state
in their privacy policies that they allow third-party tracking.7 This same study
found that a few prominent sites allow more than 20 different third-party tracking
mechanisms in the course of a month. One site even allowed 100 such mechanisms.8
As the study points out, the privacy policy of the site that an individual actually
visits typically does not apply to these third parties.9 In other words, to fully understand the privacy implications of using a particular site, individuals will often have
to begin by considering the privacy policies of many other entities that could gain
access to data about them.
As Americans begin using smartphones and other mobile Internet devices in addition to, or instead of, laptop and desktop computers, the difficulties of understanding personal data flow become even more acute. The small screens that enable
us to carry blogs, social networks, and video around in our pockets pose a new challenge to presenting consumers with information about personal data collection and
use. These devices may also make location information available, which opens the
door to an amazing array of new applications and services, but also adds further
complexity to consumer data privacy issues.10 Assuring consumers that their privacy interests will be protected in this rapidly changing environment is our core
challenge.
During the Departments outreach to stakeholders, we received comments from
consumer groups, industry, and leading privacy scholars, all of whom agreed that
large proportions of Americans do not fully understand and appreciate what information is being collected about them, and how they are able to stop certain practices
from taking place.11 Several consumer advocacy and civil liberties groups expressed
these concerns. These groups supported the Departments overall recommendation
to develop stronger privacy protections for personal data in the commercial setting.
One group expressed this shared view about a basic lack of transparency particularly well:
[C]onsumers face a continuum of risk to personal privacy, ranging from minor
nuisances to improper disclosures of sensitive information and identity theft.
Such unscrupulous practices, carried out without the consumers knowledge or
consent, lead to diminished consumer trust in Internet data practices, thus
stunting growth and innovation.12
Moreover, many consumer groups made a strong economic case for consumer data
privacy reform. Simply put, the inability to distinguish among companies privacy
practices may lead consumers to conclude that all companies engage in equally
invasive practices. As one group noted, even companies willing to adopt the most
to Parents and Kids (2010), available at http://www.commonsensemedia.org/sites/default/files/
privacypoll.pdf (last visited March 5, 2011).
5 Joseph Turow, Chris Jay Hoofnagle, Deirdre K. Mulligan, Nathaniel Good & Jens
Grossklags, The Federal Trade Commission and Consumer Privacy in the Coming Decade, 3 I/
S: JOURNAL OF LAW & POLICY 723 (2007), available at http://www.is-journal.org/.
6 Chris Jay Hoofnagle & Jennifer King, Research Report: What Californians Understand
About Privacy Offline (2008), available at http://papers.ssrn.com/sol3/papers.cfm?abstract
lid=1133075.
7 Joshua Gomez, Travis Pinnick, and Ashkan Soltani, Know Privacy, at 27, June 1, 2009,
available at http://knowprivacy.org/report/KnowPrivacylFinallReport.pdf.
8 Id. at 26.
9 Id.
10 See, e.g., Frank Groeneveld, Barry Borsboom, and Boy van Amstel, Over-sharing and Location Awareness, Feb. 24, 2010, http://www.cdt.org/blogs/cdt/over-sharing-and-location-awareness (discussing, in the context of their project called Please Rob Me, how adding location information to information posted on social networking sites can have unintended consequences).
11 All comments that the Department received in response to the Green Paper are available
at http://www.ntia.doc.gov/comments/101214614061401/.
12 Consumers Union, Comment on Department of Commerce Privacy Green Paper, Jan. 28,
2011, at 2.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00023
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
20
stringent privacy policies find that overseas customers are skeptical of those assurances because of the lack of U.S. privacy laws to back them up. 13
Interestingly, industry shares these views in many respects. Some of the leading
innovators in the Internet economy see things the same way. In comments, a leading IT company refuted the argument that baseline consumer data privacy protections would slow innovation: We disagree with the arguments some have advocated
against the adoption of legislation, particularly that privacy legislation would stifle
innovation and would hinder the growth of new technologies by small businesses.
Instead, we believe that well-crafted legislation can actually enable small business
e-commerce growth. 14 Other companies reiterated the call for Federal privacy legislation; one argued that dramatic and rapid technological advances are testing how
the fundamental principles that underpin consumer privacy and data protection
lawsuch as notice, consent, reasonable security, and data retentionshould
apply. 15 Another stressed that consumer-facing companies . . . have powerful
market incentives to protect user privacy, and must respond to user demands in
order to remain competitive. 16 To ensure continued consumer trust, this company
strongly supports the development of a comprehensive privacy framework for commercial actors . . . that create[s] a baseline for privacy regulation that is flexible,
scalable, and proportional. 17 In short, uncertainty over keeping the trust of consumers online is as unsettling for some businesses as it is for consumers.
Commenters were not unanimous in their support for legislation, and some expressed opposition to enacting baseline consumer data privacy legislation. Some
commenters asserted that legislation is appropriate only where particularly sensitive privacy interests are concerned.18 Others argued that a legislative framework
would be too inflexible, 19 a one size fits all 20 collection of rules that will become
static. 21 The Department took these concerns seriously when developing the
Green Papers Dynamic Privacy Framework for consumer data. A central feature of
the Framework is an emphasis on developing industry-specific, enforceable codes of
conduct that establish how Fair Information Practice Principles (FIPPs) apply in a
given commercial context. And these concerns are reflected in the contours of the
recommendations in this testimony.
Thus, based on an initial review of comments, the Department sees a shared set
of principles that could help to inform our efforts to reform consumer data privacy
in the Internet economy. The general agreement of commenters appears to rest on
two tenets. First, to harness the full power of the Internet age, we need to establish
norms and ground rules that promote innovative uses of information while respecting consumers legitimate privacy interests. Second, as we go about establishing
these privacy guidelines, we also need to be careful to avoid creating an overly complicated regulatory environment.
III. Strengthening Our Consumer Data Privacy Framework Through
Baseline Protections
Exactly three months ago, the Department published its Green Paper, which contained a set of preliminary policy recommendations to enhance consumer protection,
strengthen online trust, and bolster the Internet economy. The paper made ten recommendations and sought comment on a set of additional questions. In response to
the paper, the Department received thoughtful and well-researched comments from
over a hundred stakeholders representing industry, consumer groups, and academia.
Having carefully reviewed all stakeholder comments to the Green Paper, the Department has concluded that the U.S. consumer data privacy framework will benefit
from legislation to establish a clearer set of rules for the road for businesses and
13 Center for Democracy and Technology, Comment on Department of Commerce Privacy
Green Paper, Jan. 28, 2011, at 3.
14 Intel, Comment on Department of Commerce Privacy Green Paper, Jan. 28, 2011, at 3.
15 Microsoft, Comment on Department of Commerce Privacy Green Paper, Jan. 28, 2011, at
1.
16 Google, Comment on Department of Commerce Privacy Green Paper, Jan. 28, 2011, at 2.
17 Id.
18 Financial Services Forum, Comment on Department of Commerce Privacy Green Paper,
Jan. 28, 2011, at 8.
19 American Association of Advertising Agencies et al., Comment on Department of Commerce
Privacy Green Paper, Jan. 28, 2011, at 1.
20 Direct Marketing Assn, Comment on Department of Commerce Privacy Green Paper, Jan.
28, 2011, at 4; see also American Business Media, Comment on Department of Commerce Privacy Green Paper, Jan. 28, 2011, at 4; Computer & Communications Industry Association, Comment on Department of Commerce Privacy Green Paper, Jan. 28, 2011, at 18; Keller & Heckman, Comment on Department of Commerce Privacy Green Paper, Jan. 28, 2011 at 1.
21 Business Software Alliance, Comment on Department of Commerce Privacy Green Paper,
Jan. 28, 2011, at 4.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00024
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
21
consumers, while preserving the innovation and free flow of information that are
hallmarks of the Internet. The Departments privacy Green Papermuch like the
staff report of the Federal Trade Commission (FTC)highlights the need for stronger privacy protections for American consumers. As pointed out in the Commerce report, the United States has a range of data privacy laws that apply to individual
sectors of the economy, such as health care, consumer credit, and personal finance.
But these laws may not offer protection to some of the data uses associated with
consumers activities in the Internet economy. An overarching set of privacy principles on which consumers and businesses can rely could create a stronger foundation for consumer trust in the Internet by providing this broadly applicable framework.
Legislation to provide a stronger statutory framework to protect consumers online
privacy interests should contain three key elements. First, the Administration recommends that legislation set forth baseline consumer data privacy protectionsthat
is, a consumer privacy bill of rights. Second, legislation should provide the FTC
with the authority to enforce any baseline protections. Third, legislation should create a framework that provides incentives for the development of codes of conduct
as well as continued innovation around privacy protections, which could include providing the FTC with the authority to offer a safe harbor for companies that implement codes of conduct that are consistent with the baseline protections. This statutory framework is designed to be flexible, to keep its requirements well-tailored, and
to provide a basis for greater interoperability with other countries privacy laws.
A. Enacting a Consumer Privacy Bill of Rights
The Administration urges Congress to enact a consumer privacy bill of rights
to provide baseline consumer data privacy protections. Legislation should consider
statutory baseline protections for consumer data privacy that are enforceable at law
and are based on a comprehensive set of FIPPs. Comprehensive FIPPs, a collection
of agreed-upon principles for the handling of consumer information, would provide
clear privacy protections for personal data in commercial contexts that are not covered by existing Federal privacy laws or otherwise require additional protection. To
borrow from one of the responses we received, baseline FIPPs are something that
consumers want, companies need, and the economy will appreciate.22
The Administration recommends that the baseline should be broad and flexible
enough to allow consumer privacy protection and business practices to adapt as new
technologies and services emerge. As noted by two privacy scholars, [b]roadly worded legislation . . . motivates firms to produce an industry code of conduct as a way
to construe and clarify the statutory scheme. Thus, baseline privacy legislation and
incentives for industry to develop codes of conduct can go hand-in-hand. 23
Finally, a baseline law holds the promise of making our consumer data privacy
framework more interoperable with international frameworks. Again, leading Internet innovators support baseline legislation as a means of achieving this objective.
For example, a leading online company noted that FIPPs is a common language
used by many governments worldwide, so use of similar terminology will enhance
opportunities for agreement and practical approaches to data policy. 24 A Web
standards organization stated that [e]stablishing baseline commercial data privacy
principles contribute[s] to the further harmonization of the global e-commerce market at least for the countries attached to the OECD, and improve[s] the transatlantic relations on online services of all sorts. 25 Other comments, which represent a wide variety of American companies, consumer advocates, and academic
scholars, also supported this position, often noting that improving global interoperability could benefit companies by reducing their compliance burdens overseas.26
22 See Comment of Hewlett-Packard Co. on Notice of Inquiry, at 2, June 14, 2010, available
at http://www.ntia.doc.gov/comments/100402174017501/attachments/HP%20Comments%2E
pdf.
23 Professors Ira Rubinstein and Dennis Hirsch, Comment to the Department Privacy Green
Paper, January 28, 2011, available at http://www.ntia.doc.gov/comments/101214614061401/
comment.cfm?e=D120453B-FB2B4034962C-C0A352328531.
24 Yahoo!, Comment to the Department Privacy Green Paper, January 28, 2011, available at
http://www.ntia.doc.gov/comments/101214614-0614-01/comment.cfm?e=F6A50C0B00CC44A6-B475-FE218170CA02.
25 World Wide Web Consortium, Comment to the Department Privacy Green Paper, January
28, 2011, available at http://www.ntia.doc.gov/comments/101214614-0614-01/attachments/
ResponseW3C.pdf.
26 See, e.g., Professors Ira Rubinstein and Dennis Hirsch, Comment to the Department Privacy
Green Paper, January 28, 2011, available at http://www.ntia.doc.gov/comments/1012146140614-01/comment.cfm?e=D120453B-FB2B-4034-962C-C0A352328531; Intel, Comment to DepartContinued
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00025
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
22
The Green Paper suggested that comprehensive FIPPs can serve as a basis for
stronger consumer trust while also providing the flexibility necessary to define more
detailed rules that are appropriate for the relationships and personal data exchanges that arise in a specific commercial context. The FIPPs that the Green Paper
presented for discussion were transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, and
accountability and auditing. We received many thoughtful comments on how each
of these principles might apply to the commercial context, and we are continuing
to assess whether these principles provide the right framework for online consumer
data privacy. The Administration looks forward to working further with Congress
and stakeholders to define these baseline protections.
B. Implementing Enforceable Codes of Conduct Developed Through Multi-Stakeholder Processes
To encourage specific but adaptable rules for businesses and consumers in the implementation of baseline privacy principles, the Administration recommends a
framework that can promptly address specific privacy issues as they emerge. In this
framework, stakeholders from the commercial, consumer advocacy and academic
sectors, as well as the FTC and other government agencies would come together to
develop enforceable best practices or codes of conduct based on the principles in
baseline legislation. This process would allow stakeholders to develop codes of conduct that address privacy issues in emerging technologies and business practices,
without the need for additional legislation. In this framework, the FTC could have
the authority to provide appropriate incentives, such as a safe harbor, for business
to develop and adopt codes of conduct. Compliance with an approved code of conduct
might be deemed compliance with the statutory FIPPs. Of those stakeholders that
supported legislation, most one telecommunication companys conclusions that [a]s
the Green Paper observes, such a safe harbor provision will reinforce the industrys
incentives to develop self-governance practices that address emerging issues, and to
follow such practices. 27 In addition, legislation should ensure that stakeholders
have appropriate incentives to revise enforceable codes of conduct as changes in
technology, market conditions, and consumer expectations warrant.
This recommendation reflects the Departments view that government must support policy development processes that are nimble enough to respond quickly to consumer data privacy issues as they emerge and that incorporate the perspectives of
all stakeholders. Industry, consumer groups, and civil society, as well as the government, all have vital roles to play in putting baseline privacy protections into practice
in the United States. A leading IT company captured this multi-stakeholder perspective well, commenting that no single entity can achieve the goal of building
trust . . . as it is clearly a shared responsibility. There is a role for governments,
industry, and Non-Governmental Organizations/advocacy groups (NGOs) working
together to form a triangle of trust. 28 A multi-stakeholder strategy for implementation ensures that government establishes the base of this trust triangle. Such a
strategy will be critical to ensure that we end up with a framework that is rational,
that provides businesses with better information about what consumers expect (and
vice versa), but that is also dynamic. Below, I explain in greater detail the leading
role that the Department of Commerce could play in putting this multi-stakeholder
model into practice.
C. Strengthening the FTCs Authority
The independent expertise of the FTC is another key element of this framework.
In addition to its leadership in developing consumer data privacy policy, the FTC
plays a vital role as the Nations independent consumer privacy enforcement authority. Granting the FTC explicit authority to enforce baseline privacy principles would
strengthen its role in consumer data privacy policy and enforcement, resulting in
better protection for consumers and evolving standards that can adapt to a rapidly
evolving online marketplace.
ment Privacy Green Paper, January 28, 2011, available at http://www.ntia.doc.gov/comments/
101214614-0614-01/attachments/Intel%20Corp%20Dept%20Commerce%20green%20paper%20
comment.pdf (Intel supports Federal legislation based on the Fair Information Practices (FIPs)
as described in the 1980 Organization for Economic Co-Operation and Development (OECD) Privacy Guidelines.)
27 Verizon, Comment to the Department Privacy Green Paper, January 28, 2011, available at
http://www.ntia.doc.gov/comments/101214614061401/comment.cfm?e=6BFB924F-75DD-4472
-94F3-F76DB8EE0376.
28 Intel, Comment to Department Privacy Green Paper, January 28, 2011, available at http://
www.ntia.doc.gov/comments/101214614-0614-01/attachments/Intel%20Corp%20Dept%20Comm
erce%20green%20paper%20comment.pdf.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00026
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
23
D. Establishing Limiting Principles on Consumer Data Privacy Legislation
As the Committee considers these recommendations, we would also like to provide
our thoughts on limitations that Congress should observe in crafting consumer data
that strengthens consumer privacy protections and encourages continuing innovation. Legislation should not add duplicative or overly burdensome regulatory requirements to businesses that are already adhering to the principles in baseline consumer data privacy legislation. Legislation should be technology-neutral, so that it
allows firms flexibility in deciding how to comply with its requirements and encourages business models that are consistent with baseline principles but use personal
data in ways that we have not yet contemplated. And, domestic privacy legislation
should provide a basis for greater transnational cooperation on consumer privacy
enforcement issues, as well as more streamlined cross-border data flows and reduced compliance burdens for U.S. businesses facing numerous foreign privacy laws.
IV. The Departments and NTIAs Next Steps on Internet Privacy Policy
With or without legislation, the Department and NTIA will continue to make consumer data privacy on the Internet a top priority. We will convene Internet stakeholders to discuss how best to encourage the development of privacy codes of conduct. And, the Department will support the Administrations efforts to encourage
global interoperability by stepping up our engagement in international policymaking
bodies. Finally, we will continue to work with Congress and all stakeholders to develop consensus on reforms to our consumer data privacy policy framework.
A. Convening Voluntary Efforts to Define Baseline Privacy Protections
The Department of Commerce can play a leading role in bringing stakeholders together rapidly to develop enforceable codes of conduct, in order to provide greater
certainty for businesses and necessary protections for consumers. The Green Paper
notes that the Departmentand particularly NTIAhas the necessary expertise
and can work with others in government to convene companies, consumer groups,
academics, and Federal and State government agencies. It will be important to
bring NTIAs experience to bear in these activities, since NTIA can work with other
agencies and provide a center of consumer data privacy policy expertise. The Department received significant stakeholder support for the recommendation that it
play a central role in convening stakeholders. A broad array of organizations, including consumer groups, companies, and industry groups announced their support
for the Department to help coordinate outreach to stakeholders to work together on
enforceable codes of conduct.29
Indeed, the Department is pleased to be part of an Administration effort in which
this approach to protecting consumer data privacy may be immediately useful: The
National Strategy for Trusted Identities in Cyberspace (NSTIC).30 The NSTIC,
which is a separate Administration initiative being developed in close consultation
with the private sector, and is not part of the legislative proposal discussed in this
testimony, envisions enhancing online privacy and security through services that
provide credentials that improve upon the username and password schemes that are
common online. The NSTIC proposes a system that would provide individuals the
option of obtaining a strong credential to use in sensitive online transactions. The
NSTIC calls for the participants in this digital identity marketplace to implement
privacy protections that are based on the FIPPs. Developing enforceable codes of
conduct through multi-stakeholder processes is one way that the Department can
work with the private sector to implement these protections.
We thank you, Chairman Rockefeller, for supporting the announcement that the
Department of Commerce will host the National Program Office to coordinate the
Federal activities to implement NSTIC. With the leadership of the private sector,
the Department is ready and willing to support the implementation of NSTIC by
leveraging the tremendous resources of NTIA and the National Institute of Standards and Technology.
B. Encouraging Global Interoperability
Consistent with the general goal of decreasing regulatory barriers to trade and
commerce, the Department will work with our allies and trading partners to reduce
barriers to cross-border data flow by increasing the global interoperability of privacy
frameworks. While the privacy laws across the globe have substantive differences,
29 See, e.g., Comments of Center for Democracy and Technology; Comments of Consumers
Union; Comments of Microsoft; Comments of Walmart; Comments of Intel; Comments of Google;
Comments of Facebook; Comments of Interactive Advertising Bureau; and Comments of Yahoo!
30 For further information, see NIST, About NSTIC, http://www.nist.gov/nstic/ (last visited
Mar. 14, 2011).
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00027
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
24
these laws are frequently based on similar fundamental values. The Department
will work with our allies to find practical means of bridging differences, especially
those that are often more a matter of form than substance.
The Department will work with other agencies to ensure that global privacy interoperability builds on accountability, mutual recognition and reciprocity, and enforcement cooperation principles pioneered in the Organisation for Economic Cooperation
and Development (OECD) and Asia-Pacific Economic Cooperation (APEC). Agreements with other privacy authorities around the world (coordinated by key actors
in the Federal Government) could reduce significant business global compliance
costs.
C. Developing Further Administration Views on U.S. Internet Policy
Finally, we are working to ensure that our work on consumer data privacy policy
complements and informs other Internet policy development efforts that are underway in the Department and throughout the Administration. An invaluable mechanism for making this happen is the Privacy and Internet Policy Subcommittee of
the National Science and Technology Council. The Subcommittee, which the White
House announced last fall, is chaired by Commerce Department General Counsel
Cameron Kerry and Justice Departments Assistant Attorney General Christopher
Schroeder. The Subcommittee provides a forum for Federal agencies and key White
House offices to coordinate and exchange ideas on how to promote a broad, visible,
forward-looking commitment to a consistent set of Internet policy principles. These
core principlesall of which apply to the consumer data privacy contextinclude
facilitating transparency, promoting cooperation, strengthening multi-stakeholder
governance models, and building trust in online environments.
The Subcommittee has already provided the substantive policy discussions that
led to the legislative reform recommendations that I am presenting today. The Department of Commerce looks forward to continuing to work with this Committee.
V. Conclusion
In the end, the Obama Administrations goal is to advance the domestic and global dialogues in ways that will protect consumers and innovation, and to provide
leadership on information privacy policy, regulation, and legislation.
Working together with Congress, the FTC, the Executive Office of the President,
and other stakeholders, I am confident in our ability to provide consumers with
meaningful privacy protections in the Internet economy, backed by effective enforcement, that can adapt to changes in technology, market conditions, and consumer expectations. Establishing and maintaining this dynamic consumer data privacy
framework is not a one-shot game; it will require the ongoing engagement of all
stakeholders. The Department and the Administration are firmly committed to that
engagement. The legislative approach that I have outlined today would lend extremely valuable support to the dynamic framework that we envision. I welcome
any questions you have for me. Thank you.

Chairman Leibowitz, let me start with you if I may. And that is
in your opening statement you mention this new icon that online
advertisers are using. My understanding is that just came online
just, you know, last several weeks at some point. Are you encouraged by what you see or is it too early to know if thats going to
work?
Mr. LEIBOWITZ. Well I would say we are encouraged by what we
are seeing. I would say the industry has been working in good faith
on this icon notion probably for the last 2 years. I think youll have
someone testifying on the next panel about that.
I would say that the pace of moving forward has become far more
rapid since the summer hearings this Committee held and the
House Energy and Commerce Committee held in the fall and since
we released our report in December. So it is promising from our
perspective. The majority of Commissioners would like to see a Do
Not Track mechanism that includes a prohibition on tracking, not
just sending ads back to consumers.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00028
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
25
But there are important developments really just in the last few
days, including a number of members of that Digital Advertising
Alliance who would like to see restrictions on tracking except for
fraud purposes. So, yes.
Mr. Strickling, I think I saw yesterday, maybe last night, a story
that the White House is talking about a privacy bill of rights or
do you anticipate that theyll come forward with a proposal, with
a bill or is this more just general concepts that, you know, we can
expect to see from the White House?
Mr. STRICKLING. Yes, sir. The Green Paper was put out in December. And we are currently working to develop a more complete
and what we hope will be an Administration statement of policy
later this spring. What I testified to this morning is that the Administration is now at the point of recommending that this be dealt
with in legislation.
We will continue to flesh out the particulars as we complete our
overall policy paper. But were prepared to start working with this
Committee and other Members of Congress on those specifics now.
Mr. Leibowitz, I have some questions for you about Do Not
Track, but I think what Id like to do is go to Senator Isakson since
the vote just started and allow Senator Isakson to ask and then
Senator Kerry.
Go ahead.
Senator ISAKSON. Thank you, Mr. Chairman.
Mr. Leibowitz, in youron page two of your prepared testimony
you have the number of cases you brought over the last 15 years
in various categories, spam, fair credit reporting act, etcetera, childrens protection. Is that volume by category proportionate to the
number of complaints that you get or is it just?
Mr. LEIBOWITZ. Well, we keep a complaint database, Consumer
Sentinel, and thats one way and a very important way in which
we develop cases. There are other ways as well. Its not a perfect
symmetry, but we like to think its in proportion to the need to
bring cases. As you know were a very small agency. So we try to
leverage our limited resources.
But we think we try to go where the harm is or is going to be.
And so we think its reflective of that. But let meIll get you some
consumer complaints.
[The Federal Trade Commission submitted to the Committee, after this hearing,
the Federal Trade Commission Consumer Sentinel Network Data Book, JanuaryDecember 2010, published March 2011. It is available at http://www.ftc.gov/sentinel/
reports/sentinel-annual-reports/sentinel-cy2010.pdf. The executive summary follows.]
Executive Summary
Consumer Sentinel Network Data Book
JanuaryDecember 2010
The Consumer Sentinel Network (CSN) contains over 6.1 million complaints
dating from calendar year 2006 through calendar year 2010. There are over 7.8
million do-not-call complaints from this same time period.
The CSN received over 1.3 million complaints during calendar year 2010: 54
percent fraud complaints; 19 percent identity theft complaints; and 27 percent
other types of complaints.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00029
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
26
Identity theft was the number one complaint category in the CSN for calendar
year 2010 with 19 percent of the overall complaints, followed by Debt Collection
(11 percent); Internet Services (5 percent); Prizes, Sweepstakes and Lotteries (5
percent); Shop-at-Home and Catalog Sales (4 percent); Impostor Scams (4 percent); Internet Auction (4 percent); Foreign Money Offers and Counterfeit Check
Scams (3 percent); Telephone and Mobile Services (3 percent); and Credit Cards
(2 percent). The complete ranking of all thirty complaint categories is listed on
page six of this report.
Fraud
A total of 725,087 CSN 2010 complaints were fraud-related. Consumers reported paying over $1.7 billion in those fraud complaints; the median amount
paid was $594. Eighty-six percent of the consumers who reported a fraud-related complaint also reported an amount paid.
Sixty percent of all fraud-related complaints reported the method of initial contact. Of those complaints, 45 percent said e-mail, while another 11 percent said
an Internet website. Only 10 percent of those consumers reported mail as the
initial point of contact.
Colorado is the state with the highest per capita rate of reported fraud and
other types of complaints, followed by Maryland and Nevada.
Identity Theft
Government documents/benefits fraud (19 percent) was the most common form
of reported identity theft, followed by credit card fraud (15 percent), phone or
utilities fraud (14 percent), and employment fraud (11 percent). Other significant categories of identity theft reported by victims were bank fraud (10 percent) and loan fraud (4 percent).
Government documents/benefits fraud increased 4 percentage points since calendar year 2008; identity theft-related credit card fraud, on the other hand, declined 5 percentage points since calendar year 2008.
Forty-two percent of identity theft complainants reported whether they contacted law enforcement. Of those victims, 72 percent notified a police department. Sixty-two percent indicated a report was taken.
Florida is the state with the highest per capita rate of reported identity theft
complaints, followed by Arizona and California.
Mr. LEIBOWITZ. As you know being a member of this Committee,

sometimes youll see something youll read about or a Commissioner will and that will go into the investigative process. So there
are all different ways we bring cases.
Senator ISAKSON. That is exactly where I was going with my follow up question. In most federal enforcement agencies the cases
they pursue are in response to complaints from citizens. But you
alsodo you also monitor news media and reports and then follow
up based on whether or not it appears to fall under your responsibility?
Mr. LEIBOWITZ. Sure, we do. And in fact we brought a very important antitrust case because Senator Klobuchar raised it at a
hearing maybe a year ago. This was on a merger involving a drug
used for children with heart defects. And so it comes from a lot of
places.
You know, were a very bipartisan agency. All the Commissioners
have ideas of about what we should be doing and it all is channeled
into our investigative and our enforcement efforts.
Senator ISAKSON. Where does the volume of penalties, I mean,
$60 million in civil penalties, $21 million in civil penalties and five.
It looks like to me its about $80 million in civil penalties you collect over the year. Where does that money go? Back into the agency
or back to the general treasury?
Mr. LEIBOWITZ. It goes back to Treasury. And then more often
we will try to get redress for consumers. One of the things that we
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00030
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
27
try to obtain in the financial reform legislation was the ability to
get civil penalties for violations of our standard unfair and deceptive acts or practices authority. And it didnt make it into the final
legislation.
It was something that Caspar Weinberger actually supported
when he was the FTC Chair back in the early 1970s. And we hope
to come back and revisit that going forward. But as a result, we
have limited fining authority. It usually goes back to Treasury.
Senator ISAKSON. Im assuming based on what Ive heard in the
testimony that probably the most effective way to protect the consumer would be give them a mechanism to protect themselves. You
talked about the icon where you can just elect
Mr. LEIBOWITZ. Yes.
Senator ISAKSON.whether or not your information can be
shared or not. Do we know if technologically thatI think technologically anything can be done now, but is that doable?
Mr. LEIBOWITZ. Yes, that is doable. And the only question is
about exactly which way to do it.
Senator ISAKSON. Thank you, Mr. Chairman.
Senator Kerry?
Senator KERRY. Thank you, Mr. Chairman.
Chairman Leibowitz, I want to trya lot has been discussed
about the Do Not Track proposal. And I want to try to hone in on
it a little bit. Is it your judgment that if a company comes up with
a pretty strict policy which has broad privacy protections and adequate opt in, et cetera, et cetera, and opt-out or out, do you think
then that the Do Not Track is still necessary?
Mr. LEIBOWITZ. At this point I think we do, because if individual
companies have individual practices that may support a baseline
consumer or commercial bill of rights here, I think that is a great
idea it may not mean that every company has that. And I think
what were trying to do, like you, is develop a baseline for privacy
protection for consumers.
So from my perspective a Do Not Track mechanism thats easy
to implement, going back to Senator Isaksons point, could be an
important choice mechanism for consumers and an important way
to protect privacy for consumers who want to limit tracking.
Senator KERRY. So in terms of the potential harm or protection
depending on which way you look at it, that youre trying to provide the consumer if you had a Do Not Track it doesnt mean that
theyre going to get no advertising like a Do Not Call means youre
not going to get any calls. It simply means youre not going to get
customized advertising. But youll still get bombarded by advertising.
Mr. LEIBOWITZ. You will still get advertising. It may not be targeted. But again, from our perspective
Senator KERRY. So the analogy to Do Not Call is not an appropriate one. Would you
Mr. LEIBOWITZ. Yes, its very different than Do Not Call.
Senator KERRY. OK.
Mr. LEIBOWITZ. Its very different from Do Not Call. Its also not
government run as we run the Do Not Call list.
Senator KERRY. OK.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00031
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
28
So then is there an assumption therefore that if you had a standard and you had a code and you had a strong privacy offering that
the tracking is per se bad?
Mr. LEIBOWITZ. No, we dont think tracking is per se bad at all.
We think most consumers wont mind being tracked. They get more
personalized advertising.
We just think consumers ought to have the ability to opt out of
that kind of tracking. I mean, the analogy we sometimes use is if
youre walking around a mall, someone shouldnt be sort of trackingfollowing you around even if they dont know who you are and
sending e-mails off to the stores in front of you saying well, thats
Jon Leibowitz. Hes interested in buying a Madras jacket in his
usual green and red colors.
You know, you should have the right not to be followed around
if you dont want to be followed around.
Senator KERRY. So if a firm has a very strong policy, a privacy
policy and then you have another firm that doesnt have a very
strong kind of policy.
Mr. LEIBOWITZ. Right.
Senator KERRY. Youre going to treat them both the same in the
context of the Do Not Track.
Mr. LEIBOWITZ. Well.
Senator KERRY. Theres no virtue to having the stronger policy
and therefore allowing the tracking to take place in the context of
that stronger policy.
Mr. LEIBOWITZ. Well, stronger policy outside of Do Not Track
may have many virtues, right? It will include privacy by design. It
will include readable privacy notices. Theyll be transparency.
Theyll be more choice.
But my sense is that a lot of the most responsible companies support a Do Not Track notion for third party cookies. And so I think
theres an enormous benefit to having a baseline FIPPs privacy
protection and then negotiated industry codes. Were working with
the Commerce Department on that.
But we also think theres a value in having the ability to opt-out
of targeted advertising or maybe targeted advertising for just sensitive information like medical searches or financial information.
Senator KERRY. With respect to the Wall Street Journal series on
the issue of what they know. I assume you followed that?
What did you draw from that? What came out of that in your
judgment?
Mr. LEIBOWITZ. So let me say a few general things and some specific things.
So generally, what came out of thatand it was a series of stories, as you know, last summer, and then many follow-ups.
One is that some companies have very good privacy practices,
but many of them do not. And it results in an enormous amount
of information being collected about consumers thats invisible to
consumers and not on the sites that theyre on, but by cookies and
software embedded in consumers computers. And so it really was
a motivation for us to step up our enforcement efforts and to write
our privacy report.
And then more specifically, were having a debate about whether
to propose a Do Not Track mechanism. And one of the issues we
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00032
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
29
had internally in the Commission was: is it technologically feasible? And of course, one of the stories, as you know, was about
Microsoft having developed this and the balancing act they did between their privacy advocates and engineers on the one hand and
their marketers. And how they resolved it was they sort of split the
difference.
And so we knew then that Do Not Track was technologically feasible. And Microsoft to its credit has stepped up and endorsed the
concept since our report.
Senator KERRY. Thank you.
[Laughter.]
STATEMENT OF HON. CLAIRE MCCASKILL,
U.S. SENATOR FROM MISSOURI
Senator MCCASKILL. Thank you, Mr. Chairman.

Iyou know when you talk about privacy its in the same category as motherhood and apple pie in this country. And I think
weve got a real problem here because what most Americans dont
understand and frankly, what maybe, unfortunately, two Members
of Congress dont understand is we have monetized the Internet
with behavior marketing. It is an amazing amount of free information that is immediately accessible because of behaviorally marketing. So I guess, you know, it equals money.
And so I guess my first question is havedoes anybody know?
Do either of you know what the cost is going to be in terms of the
economic vibrancy of the Internet for some of the things that are
being considered? And isnt it fair to envision that a Do Not Track
in fairness since behavioral marketing is money, isnt it fair to
think that some of these companies are going to charge for that?
Mr. LEIBOWITZ. For opting out of tracking?
Senator MCCASKILL. Yes.
Mr. LEIBOWITZ. We have not seen that yet even in the
Senator MCCASKILL. But we havent passed any laws yet.
Mr. LEIBOWITZ. No, but to their credit, there is a major group of
companies, called the Digital Advertising Alliance, thats in the
process of offering some sort of free opt-out. Now we think it should
go a little further. But no one has talked about monetizing that.
And I think thats a good thing. And I think its a recognition
also that businesses understand that if you put some limits on
tracking or you have some privacy protections as the Commerce
Department envisionsand Im supportive of that though you dont
necessarily need to bethe sky wont fall down on Internet commerce. Its going to continue. And indeed if consumers have more
trust in the Internet, theyre going to do more business on the
Internet too.
Senator MCCASKILL. Do you think that there is envisioned where
we draw the line? For example, we would never dream of telling
Slim Fast they couldnt advertise on Oprah, right? Behavioral marketing. They know that there are mostly women that are watching
that show. And they know that most of their product is consumed
by women. And so they are behaviorally marketing to that segment.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00033
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
30
How will we draw the line between what kind of behavioral marketing is fair and what kind of behavioral marketing invades privacy?
Mr. LEIBOWITZ. Well, I think youve raised a really important
point. And I dont know if you were here when Senator Isakson was
speaking. He used to run a company. They advertised. And he
pointed out that theres a difference between advertising on the
Internet where you can figure out things about people, not from
classic PI, personal information, but from the aggregated enormous
amounts of information.
And so its different than advertising on Oprah or advertising on
TV. And that seems to me, thats a point where we want to ensure
privacy protections for consumers. And I think that the DepartmentI dont speak for the Department of Commerce, but I assume that you do.
Mr. STRICKLING. And I would just add to the comments the
Chairman has made that in our discussions we find a very strong
level of support among industry to create this baseline of protections. The baseline though, its fair to call it a bill of rights. I mean
what we have in mind is not unlike the Bill of Rights, a concise
statement of the right that the consumer has, and then relying on
industry, working with consumer groups, working with other experts in the field, to come up with these codes of conduct that provide more specificity.
We think, in that regard, we dont have to see the government
drawing some of these very difficult lines and imposing them as
regulation as long as were providing adequate oversight of this
process by which industry, working with all stakeholders, develops
appropriate codes. We think we can get to a regime that will greatly improve privacy for consumers and still meet the needs of businesses who want to continue to see the growth of the Internet.
Mr. LEIBOWITZ. If I can just follow up briefly. And youre right.
I dont think most American consumers understand where their information is going, how its been monetized, how its been traded.
But in another sort of bedrock level, I think they get the issues of
Internet privacy.
There was a poll by a group called Consumer Watchdog that
found 80 percent of Americans wanted to see a Do Not Track option. I think Common Sense Media had a poll that you mentioned,
talking about greater concern that parents had over their kids.
Senator MCCASKILL. Right.
Mr. LEIBOWITZ. About Internet privacy and safety. Gallup had a
poll that also reflected this. So I think at some level Americans understand.
Senator MCCASKILL. I agree. And I dont mean to cut you off. But
I dont want to miss this vote and while Im going to try to come
backI just think weve got to be very careful about the unintended consequences.
We know the good guys are going to try to do this right. We
know the bad guys, its going to be very hard to regulate them in
a way that makes sense. So what I dont want to do is handcuff
the good guys because with all due respect, I mean, you know, if
we think were doing a really good job in consumer oversight of the
commerce in this country right now. You know, I mean, dont get
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00034
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
31
me started on the ads I see on cable TV that I just need to get my
government benefit and all of the things that are out there that are
not being adequately policed.
So I just want to make sure that we dont kill the goose that laid
the golden egg here under the rubric of the very laudable notion
of privacy. I just think that weve got to go very carefully, make
sure that we think about the unintended consequences and most
importantly, think about the bad guys that arent going to pay any
attention to your code of conduct.
And consumers are going to continue to not have confidence in
the Internet as long as those bad guys are out there. So I just
I think weve got to be very careful and not go too fast, too far,
without thinking about what may be down the line.
Mr. STRICKLING. If I could respond quickly to that. I think the
proposal that weve made answers your concern. It would have legislation that would create a baseline of these fair information practice principles. And those are some of the things that the Chairman
mentioned earlier, things like transparency and disclosure, what
level of consent.
Im confident that if, in doing so, the Congress also gives the FTC
the enforcement authority to enforce that theyre going to be able
to go after the bad guys based on that baseline. But what the baseline allows though is the flexibility to the good guys, as you call
them, to craft the more specific protections that they need to have
to allow them to run their businesses.
Senator MCCASKILL. I agree. I will just tell you that I have a
feeling that, Mr. Leibowitz, that your budget is not going to grow
enormously over the next decade. And youve got plenty of work to
do over there.
And frankly a lot of work that needs to be done that you cant
do now. And if were going to add to your work load and at the
same time do something that is going to minimize the amazing
things weve done on the Internet, I just think weve got to make
sure America buys into that agreement.
Mr. LEIBOWITZ. Yes, I agree with that.
Senator PRYOR. Let me interrupt here just for a second because
this vote is about to close. And Senator, we need to run over there
and vote. So what Ill do is recess this for just a few moments. Let
us go do these two votes. And then well reconvene in just a few
minutes.
Thank you.
[Recess.]
Senator PRYOR. Ill reconvene the hearing. I want to thank everyone for being patient with us and we had those two votes. And my
understanding is we have a few Senators on the way back over.
But I know that Senator Klobuchar wanted to ask questions of this
first panel.
So Senator Klobuchar?
STATEMENT OF HON. AMY KLOBUCHAR,
U.S. SENATOR FROM MINNESOTA
Senator KLOBUCHAR. Well, thank you very much, Chairman.

Thank you for holding this hearing. And thank you to our two witnesses and as well as the second panel.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00035
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
32
But thank you, Chairman Leibowitz and Administrator
Strickling. It is great to be here with you on an important topic.
And I wanted to focus a little bit on websites with teens and children maybe because I walked into my daughters room last night
and she was webcasting with her friend. And luckily they were
working on their homework. And the interview shes doing with
Senator Murkowski which will be Im sure, devastating to Senator
Murkowski.
But I wanted to ask you a few questions on this. A recent Wall
Street Journal article examined 50 websites popular with teens and
children to see what tracking tools they installed on a test computer. As a group the sites used over 4,000 cookies, beacons and
other pieces of tracking technology. That it actually 30 percent
more than were found in a similar analysis of adult websites which
is rather disturbing I think that there were more of these being
used on childrens websites.
Can you describe your agencys experiences dealing with tracking
of children and teens online? And what do you think needs to be
done here?
Mr. LEIBOWITZ. Well, I think theres no doubt that theres an extraordinary amount of monetizing of teen information. As you
know, from your daughter, who I believe is a very responsible 15
year old. And I know from my children that they spend a lot of
time online.
And so one of the recommendations in our report discusses the
need for a kind of enhanced consent for children. Were taking comments on that.
But of course one of the other issues with teens is often, they act
impulsively. They put things online that they never expect will remain there. When a privacy policy of a social network switches
from something that protects privacy to something that has less
privacy protections sometimes kids dont realize or teens dont realize that a lot of information that they thought was private will be
put online.
So its a very important issue for us. And we are studying it.
Senator KLOBUCHAR. OK. Anything you would like to add, Administrator?
Mr. STRICKLING. No.
Senator KLOBUCHAR. As we talk about privacy I wondered Chairman Leibowitz, if the FTC has looked into the issue of privacy notifications on smartphones. As you can imagine those are smaller letters and harder to read, yet they access the same type of information and also have the same kind of privacy concerns as other larger computer screens.
Mr. LEIBOWITZ. Well, I believe in our report we looked at mobile
phones. Weve done a number of hearings on mobile issues because,
youre right. In terms of privacy policies theyre much harder to
read. In terms of applications for children, of course, you wrote to
us about a particular application. And we were glad to see that the
alleged malefactors have improved their app standards.
These are all very, very important issues and particularly in the
mobile space. Were going to try to see how we can encourage more
consumer choice and more transparency. So few people and certainly so few children understand the terms of service. You need
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00036
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
33
to have easy-to-understand terms of service for children or parents
who have a lot of information thats taken from kids and thats
placed onlineinformation that perhaps parents wouldnt want
their kids to share, and kids or teens may not want to share themselves.
Senator KLOBUCHAR. Administrator?
Mr. STRICKLING. I think what Id like to say in response to both
of the examples youve given is the fact that its impossible for us
to predict today what the privacy issue is going to be 6 months or
12 months from now. And thats why the framework that the Administration is proposing for legislation to use codes of conduct that
will be prepared by this multi-stakeholder group of industry is very
important because it gives you the speed and the flexibility to respond to these types of issues when they arise. If were chasing
after these issues and trying to write regulations in a more formal
way that perhaps take a year to write, we cant possibly stay up
on the issues that arise.
Senator KLOBUCHAR. So the argumentyes.
Mr. STRICKLING. And so overall I think this again is further demonstration of the need to have an industry-based, actually a full
multi-stakeholder process to work on these codes of conduct and to
deal with these issues when they arise. And indeed that in effect
is what, you know, Chairman Leibowitz and the FTC are doing on
an individual issue basis, is assembling the parties to get them to
talk about these issues and nudging them in the right direction.
And I think thats the appropriate model we want going forward.
Senator KLOBUCHAR. I think thats the name of Cass Sunsteins
bookNudge.
Mr. LEIBOWITZ. Nudge.
Senator KLOBUCHAR. So thats all
Mr. LEIBOWITZ. Not noodge, not noodge. Nudge.
Senator KLOBUCHAR. It looks like you want to add something.
But I just wantChairman Leibowitz, but I wanted to follow up
on that. It would seem to me just one of the problems is, as we all
know under the best circumstance it takes so long for us to get
these laws done. So clearly if we can get these voluntary codes of
conduct that would respect the development of the technology and
also not interfere with the development of the technology would be
key as long as we actually get these voluntary codes of conduct.
Mr. Chairman?
Mr. LEIBOWITZ. Yes. And I wanted to check to our Bureau Director to make sure I could say this. We have multiple investigations
going on of inadequate notice on mobile and to kids. And apparently in one of the investigations were doing, the privacy notice on
mobile was 151 or 152 clicks or screens away.
[Laughter.]
Mr. LEIBOWITZ. So I think the reasonable consumer will not
Senator KLOBUCHAR. Youre kidding. So you mean if they wanted
to find the privacy notice they had to click 152 times to get to the
window that
Mr. LEIBOWITZ. 106 or 107 because the first time you may not
have to click. But yes.
Senator KLOBUCHAR. OK. Well I get it. Well, thank you for clarifying that for the record.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00037
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
34
[Laughter.]
Senator KLOBUCHAR. Alright. Thank you to both of you. And I
appreciate the way that this is moving. I think its the right way.
Thank you.
Senator PRYOR. Thank you both for joining us today. There are
several Senators who either had to come and go or expressed an
interest in being here. And probably well leave the record open for
a couple weeks to allow Senators to ask questions. Wed appreciate
a quick response.
But thank you all for being here today. And Ill go ahead and introduce our second panel.
Mr. LEIBOWITZ. Thank you, Mr. Chairman.
Senator PRYOR. Oh, thank you very much. Thank you.
Well go ahead and bring up our second panel. And the staff as
always will do a quick switch, switcheroo here. And bring the second panel forward with their name tags.
And as they are doing this what Ill do is Ill go ahead and introduce the members of the second panel. And then once they get situated Ill just call on them as we go down the row.
First would be Erich Andersen, Vice President and Deputy General Counsel of Microsoft.
Second will be John Montgomery, Chief Operating Officer of
GroupM Interaction.
Third will be Ashkan Soltani, Researcher and Consultant.
Fourth will be Barbara Lawler, Chief Privacy Officer for Intuit.
And the fifth, last but certainly not least, will be Chris
Calabrese, Legislative Counsel with the American Civil Liberties
Union.
So as were getting set up here. And I see water is getting poured
and charts are getting established. Just one moment we will go
ahead and call on Mr. Andersen whenever we are ready. So, Mr.
Andersen, go ahead.
STATEMENT OF ERICH D. ANDERSEN,
DEPUTY GENERAL COUNSEL, MICROSOFT CORPORATION
Mr. ANDERSEN. OK. Thank you, Mr. Chairman.

Mr. Chairman and honorable members of the Committee, my
name is Erich Andersen and Im the Deputy General Counsel of
Microsofts Windows Division. Thank you for inviting me to testify
today about the state of online privacy. We applaud the leadership
that the Committee has shown on this issue.
I also want to endorse Assistant Secretary Stricklings call for
federal privacy legislation.
Legislation can be an important component of a multipronged approach to privacy but also includes technology tools, industry initiatives and consumer education. At Microsoft consumer trust is vital
to our business. And privacy is a critical component to earning and
maintaining that trust. In all our service offerings we strive to be
transparent about our privacy practices, offer meaningful privacy
choices and protect the security of the data that we store.
In my role for the Windows Division, Ive worked with our software team to develop privacy enhancing features for Windows and
Internet Explorer. We have groups working on similar efforts
throughout Microsoft including for our Bing search engine, Xbox
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00038
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
35
gaming platform and our advertising services. The different ways
that we engage with consumers give us a unique perspective on the
privacy discussion. In light of our experience we believe that a combination of technology tools, industry initiatives, consumer education and legislation is needed to protect privacy and promote innovation.
Let me briefly explain the importance of technology. At Microsoft
we have implemented privacy by design. We engineer privacy into
our products and services from the outset. And we consider privacy
throughout the product life cycle.
One example of where we put this principle into practice is the
privacy features weve developed for Internet Explorer. The most
recent version of Internet Explorer, IE 9 was released this week.
And it offers a ground breaking new tool called tracking protection.
This Do Not Track feature allows consumers to decide which
sites can receive their data and blocks content from sites that they
view as engaged in tracking providing consumers with greater control over their online experiences. Were very proud that Internet
Explorer was the first major browser to respond to the FTCs recent call for a Do Not Track mechanism. We look forward to working with all stakeholders to implement Do Not Track tools in a
meaningful way for consumers and businesses alike.
Industry initiatives can be effective in complementing technology
tools. For instance, weve long partnered with the Network Advertising Initiative to develop principles governing online behavioral
advertising. Were continuing to collaborate with members of the
Digital Advertising Alliance and others in the advertising industry
to implement guidelines and best practices to help ensure that consumers understand and can easily opt-out of behavioral advertising.
The third element of a comprehensive approach to privacy is consumer education. We agree with the FTC and the Commerce Department that consumers need a better understanding of data practices. Thats why we provide consumers with clear information
about our own practices and offer choices about what data will be
collected and how it will be used. Weve also partnered with consumer advocates and government agencies to develop educational
materials on consumer privacy and data security.
The last critical element is federal privacy legislation. Legislation
is needed because the current sectoral approach to privacy regulation is confusing to consumers and its costly for businesses. We believe that legislation should establish a common set of privacy and
security requirements that are not specific to any one technology,
industry or business model.
For particular industries or business models industry initiatives
should co-exist with or should build on top of the baseline obligations of the law. Online advertising is a perfect example. Baseline
federal privacy requirements around user notice, control and security can complement industry initiatives and innovative technology
tools.
In conclusion, Microsoft is committed to working with you to protect consumer privacy in a way that complements technical and industry based measures and promotes continued innovation. Thank
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00039
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
36
you for giving us this opportunity to testify today. I look forward
to answering any questions you may have.
[The prepared statement of Mr. Andersen follows:]
PREPARED STATEMENT
ERICH ANDERSEN, DEPUTY GENERAL COUNSEL,

MICROSOFT CORPORATION
OF
Chairman Rockefeller, Ranking Member Hutchison, and honorable Members of

the Committee, my name is Erich Andersen, and I am Deputy General Counsel of
Microsofts Windows Division. Thank you for the opportunity to share Microsofts
views on an issue that needs the attention of Congress and the work of this Committee: the adoption of meaningful privacy legislation that protects individuals privacy while complementing technological and industry-based measures and promoting continued innovation. We appreciate the leadership that the Committee has
shown on this issue, and we are committed to working collaboratively with you, the
Federal Trade Commission, the Department of Commerce, consumer groups, and
other stakeholders to achieve this important balance.
In my role for the Windows Division, I have worked with our software team to
develop privacy-enhancing features and tools for Windows and Internet Explorer.
We have teams working on similar efforts throughout Microsoftfor instance, in the
Bing search team, the online advertising division, the Xbox group, and our cloud
computing group. Our goal across Microsoft is to build trust with consumers by giving them the tools they want to make them productive and enrich their computing
experience. Privacy is a critical component of earning and maintaining that trust.
In all of our service offerings, we strive to be transparent about our privacy practices, offer meaningful privacy choices, and protect the security of the data we store.
The multiple contexts in which we engage with consumers give us a unique perspective on the privacy discussion. For example, as a website operator, an ad network, and a browser manufacturer, we have a deep understanding of the roles that
different participants in the digital ecosystem play in safeguarding consumer privacy. Also, based on our longstanding involvement in the privacy debate, we recognize that the combined efforts of industry and government are required to effectively
balance the need to protect consumers privacy interests and promote innovation. In
light of our experience, we recommend a multi-pronged approach that includes legislation, industry self-regulation, technology tools, and consumer education.
Today, I will explain why we believe that each of these four elements is important
for protecting consumer privacy, and I will highlight steps that Microsoft has taken
in each area. But first I would like to start with a discussion of how technology has
reshaped consumers engagement online and their privacy expectations.
I. Protecting Privacy While Enabling Innovation
The explosive growth of the Internet, cloud computing, the proliferation of computers and handheld mobile devices, and the expansion of e-commerce, e-government, e-health, and other web-based services have brought tremendous social and
economic benefits. At the same time, however, technology has fundamentally redefined how, where, and by whom data is collected, used, and shared. The challenge
that industry and government must address together is how to best protect consumers privacy while enabling businesses to develop a wide range of innovative
products and services.
Consider, for example, online advertising. Online advertising is the fuel that powers the Internet and drives the digital economy. Over $25 billion was spent on online advertising in 2010.1 Millions of websites are able to offer their content and
services for free because of the revenue they derive from advertising online. For
small and medium-sized businesses in particular, online advertising has created
new opportunities to inform consumers about their products and services. One study
estimates that the advertising-supported Internet ecosystem is responsible for creating 3.1 million American jobs, and that the dollar value of these wages totals approximately $300 billion.2 Consumers also benefitnot only because online advertising enables the free services and content they enjoy, but because the ads they
see are more likely to be relevant. Simply put, the richness and vibrancy of the modern Internet experience is due in large part to the success of online advertising.
1 Kristen Schweizer, U.S. Web Advertising Exceeds Newspaper Print Ads in 2010, eMarketer
Says, BLOOMBERG (Dec. 20, 2010), http://www.bloomberg.com/news/2010-12-20/u-s-web-ads-exceed-newspaper-print-ads-in-2010-emarketer-says.html.
2 Hamilton Consultants, Inc., Economic Value of the Advertising-Supported Internet Ecosystem
4 (June 20, 2009), http://www.iab.net/media/file/Economic-Value-Report.pdf.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00040
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
37
The collection of data to serve ads on the Internet also has important privacy implications. When Justice Louis Brandeis famously defined privacy as the right to
be let alone in 1890,3 he could not have foreseen how technology would revolutionize our world. An individual planning a trip to Boston can now go online to compare airfares, book a hotel room, map out restaurant recommendations that are convenient to her itinerary, and poll her network of friends for suggestions about things
to do during her trip. Every day, people generate billions of page views, transactions, downloads, and search queriesa mountain of data, across a myriad of different devices, that reveals valuable information about users interests. As one of
Microsofts senior executives recently recognized, industry can and must do better
in addressing the fact that consumers often do not understand the ways in which
their data is bought, sold, bartered, exchanged, traded, and used.4
In the digital era, privacy is no longer about being let alone. Privacy is about
knowing what data is being collected and what is happening to it, having choices
about how it is collected and used, and being confident that it is secure. These three
principlestransparency, control, and securityunderpin Microsofts approach to
privacy. They are also essential components of the thoughtful privacy frameworks
recently advanced by the Federal Trade Commission (FTC) and the Department of
Commerce.5 We believe that the principles of transparency, control, and security
should inform legislative, self-regulatory, technological, and educational initiatives
to safeguard consumer privacy.
II. A Role for Congress and Comprehensive Privacy Legislation
As we focus on what can be improved, it is important to note that in the past
year, significant progress has been made toward protecting individuals privacy:
technological solutions to empower consumers to control their personal information
are now widely available, consumers are much more educated about the nature and
scope of privacy risks, enforcement actions have been taken by the FTC, and legitimate industry practices are becoming better and more consistent. Federal legislation
can be an effective complement to this strategy, providing an additional layer of protection for consumers and another tool for enforcement officials.
Historically, Congress has played an active role in protecting consumers online.
Beginning in the late 1990s, Congress passed laws aimed at specific online harms
and revised existing laws to account for the evolving ways in which technology was
being used to collect, use, and share personal information. Examples include the
Childrens Online Privacy Protection Act of 1998, the privacy and security provisions
for financial information in 1999s Gramm-Leach-Bliley Act, the CANSPAM Act of
2003, and the breach notification provisions for protected health information that
were included in 2009s Health Information Technology for Economic and Clinical
Health Act. Congress (and this Committee in particular) has also scrutinized important privacy-related issues such as online advertising, data security and breach notification, privacy in connection with broadband providers, spyware, and childrens online safety.
Although the progress that has been made is notable and should not be overlooked, our view since 2005 has been that Congress should take the next step and
enact comprehensive Federal privacy legislation. One of the key problems with the
current sectoral approach to privacy regulations is that it makes compliance a complex and costly task for many organizations. According to one estimate, by 2009
there were over 300 Federal and state laws relating to privacy.6 The sector-specific
approach also creates confusion among consumers, and can result in gaps in the law
for emerging sectors or business models.
3 Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193, 193
(1890).
4 See Emily Steel, Microsoft Executive Urges Online Ad Industry to Police Itself, WALL ST. J.
DIGITS BLOG (Feb. 28, 2011, 6:28 PM), http://blogs.wsj.com/digits/2011/02/28/microsoft-executive-urges-online-ad-industry-to-police-itself/ (referencing comments by Rik van der Kooi, corporate vice president of Microsofts Advertiser & Publisher Solutions group, at the annual leadership meeting of the Interactive Advertising Bureau).
5 See generally Fed. Trade Commn, Preliminary Staff Report, Protecting Consumer Privacy in
an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (Dec. 1, 2010)
[hereinafter FTC Staff Report]; Internet Policy Task Force, Dept of Commerce, Commercial
Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework (Dec. 16,
2010) [hereinafter Commerce Report]. As we noted in comments filed with the FTC and the
Commerce Department, we applaud the Commissions and Departments efforts to develop a robust privacy framework that will withstand rapid technological advances while fostering innovation.
6 Lee Gomes, The Hidden Cost of Privacy, FORBES, June 8, 2009, available at http://
www.forbes.com/forbes/2009/0608/034-privacy-research-hidden-cost-of-privacy.html.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00041
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
38
What industry needs is Federal privacy legislation that sets forth baseline privacy
protections for transparency, consumer control, and security that are not specific to
any one technology, industry, or business model. Privacy protections that apply
across sectors would provide consistent baseline protections for consumers, and simplify compliance for businesses that increasingly operate across those sectors. Baseline privacy protections would also promote accountability by ensuring that all businesses use, store, and share commercial data in responsible ways, while still encouraging companies to compete on the basis of more robust privacy practices. In addition, legislation would create legal certainty by preempting state laws that are inconsistent with Federal policy.
Microsoft is pleased to see that members in both chambers of Congress are taking
up the issue of comprehensive privacy legislation in the current congressional session, and we also find it encouraging that some of these initiatives appear to have
early bipartisan support. As these proposals advance through the legislative process,
we note that any privacy legislation should be crafted with two goals in mind. First,
the legislation must protect consumers privacy and data security while enabling innovation and facilitating the productivity and cost-efficiency offered by new business
models and computing paradigms. Second, the legislation should create privacy protections that can withstand the rapid pace of technological change so that consumer
data is protected not only today, but also in the decades to come.
To achieve these two ends, any proposed legislation should be tested against certain fundamental criteria, among them:
Flexibility. The legislation should permit businesses to adapt their policies and
practices to match the contexts in which consumer data is used and shared and
be sufficiently flexible to allow technological innovation to flourish.
Certainty. The legislation should provide businesses with certainty about
whether their privacy policies and practices comply with legal requirements.
Simplified data flows. The legislation should seek to facilitate the interstate
and international data flows that are necessary to enable more efficient, reliable, and secure delivery of services, including through harmonizing international privacy regimes and preempting a patchwork of state privacy laws.
Technology neutrality. The legislation should avoid preferences for particular
services, solutions, or mechanisms to provide notice, obtain choice, or protect
consumer data.
Focus on substantive outcomes. Instead of imposing prescriptive rules that may
be of limited effect or that may burden businesses without yielding commensurate privacy benefits, the legislation should set privacy goals based on criteria
established in current public policy, then permit businesses to adopt methods
and practices to reach those goals in a manner that best serves their business
models, technologies, and the demands of their customers.
We look forward to continuing to work with this Committee to craft legislation
that meets these criteria.
III. A Role for Industry Self-Regulation and Best Practices
Legislation, while important, is only part of the solution. Legislation is an appropriate vehicle for setting baseline standards, but it must work in conjunction with
industry self-regulation and best practices, technology solutions, and consumer education.
Industry self-regulation is a useful complement to legislation for two reasons.
First, self-regulatory efforts can easily be tailored to the particular context in which
data about individuals is collected and used. Consumers have different privacy expectations depending on whether they are interacting with retailers, application developers, social media platforms, search engines, Internet service providers, publishers, advertisers, ad networks, or data exchanges. Effective privacy protections
should take into account consumers reasonable expectations of privacy, and industry self-regulation offers a flexible tool for doing so. Second, self-regulatory efforts
are generally well-positioned to keep pace with evolving technologies and business
models. There is no question that technology, business models, and consumer adoption of online services will continue to changeand change rapidly. A decade ago,
few consumers were publicly sharing their personal photographs and home videos,
but today consumers regularly post these materials on social networking and online
video websites without hesitation because they believe such services are valuable.
In 2003 Facebook was just an idea in the mind of a Harvard undergraduate, but
today there are companies whose entire business model is built around developing
applications for Facebook and other social media platforms.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00042
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
39
Given the complex and dynamic nature of the online ecosystem, crafting workable
solutions requires engagement from multiple stakeholders. Microsoft has a history
of working collaboratively with other companies to develop appropriate solutions
that build on the principles of transparency, control, and security. For example,
Microsoft is a strong supporter of the Self-Regulatory Program for Online Behavioral Advertising, which includes an educational website where consumers can learn
about online advertising and choose not to have their information used for behavioral advertising. Additionally, data security is one of the focal points of the Program: participating organizations must agree to provide appropriate security for,
and limit their retention of, data collected and used for behavioral advertising. In
our multiple roles as a browser manufacturer, ad network, and website operator, we
are coordinating with the Interactive Advertising Bureau and other participants in
the Self-Regulatory Program to ensure that this important initiative is effective, enforceable, and broadly accepted. Consistent with our commitment to responsible industry leadership, we are also working at the World Wide Web Consortium, the
standards-setting body for the Web, to develop an industry consensus about technical standards that can implemented across browsers to enable common tools for
consumers to block tracking activities by third parties.
Transparency, control, and security are also essential concepts in Microsofts Privacy Guidelines for Developing Software Products and Services, which are based on
our internal privacy standards. We make these standards publicly available at
http://www.microsoft.com/privacy for other organizations to use when developing
and guiding their own product development processes. To encourage industry to
adopt these guidelines, we have taught courses for others in industry to educate
them on the standards.
IV. A Role for Technology Solutions
As a technology company, we naturally believe that technology has a key role to
play in protecting consumer privacy. To ensure that we engineer privacy into our
products from the outset and consider privacy issues throughout the project
lifecycle, we have implemented internal policies and procedures that advance key
principles such as transparency, control, and security.7 For example, in individual
business groups such as Windows, Office, and Xbox, we have a three-tier system of
privacy managers, privacy leads, and privacy champs who help make sure that our
products and services comply with our standards and applicable privacy laws. We
also have a dedicated Trustworthy Computing team that works with business
groups across the company to ensure that their products and services adhere to
Microsofts security and privacy policies. Although my colleagues in other divisions
would be delighted to provide you with details about our initiatives for Bing, Kinect,
and other products and services, I want to focus on our industry-leading browser,
Microsofts Internet Explorer.
Internet Explorer has really been a pioneering technology for protecting consumer
privacy online. It was the first browser to introduce InPrivate Browsing, a feature
that prevents a consumers browsing history, temporary Internet files, form data,
cookies, and usernames and passwords from being retained by the browser, thereby
leaving virtually no evidence of the consumers browsing history. Another feature in
Internet Explorer 8, InPrivate Filtering, watches for third-party content that appears with high frequency across websites from companies that may be engaged in
tracking activities, while still allowing consumers to view the content on the sites
theyve chosen to visit.
The InPrivate features were breakthroughs, but what I would like to highlight
today is that Microsoft was the first of the major browser manufacturers to respond
to the FTCs recent call for a persistent, browser-based Do Not Track mechanism.8
The version of our browser that is being released this week, Internet Explorer 9,
will offer an innovative new feature, Tracking Protection, that allows consumers
to decide which sites can receive their data and filters content from sites identified
as privacy threats. Users will be able to create or download Tracking Protection
Lists that identify websites which are, in the view of the list creator, trustworthy
7 Both the FTCs proposed framework and legislation currently moving through Congress recognize the importance of a robust privacy by design program. We support these efforts to encourage industry to incorporate privacy protections into their data practices and to develop comprehensive privacy programs.
8 See FTC Staff Report 66 (Commission staff supports a more uniform and comprehensive
consumer choice mechanism for online behavioral advertising, sometimes referred to as Do Not
Track. . . . The most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumers browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements.)
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00043
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
40
or untrustworthy. If a site is listed as a do not track site on a Tracking Protection
List, Internet Explorer 9 will block third-party content from that site, unless the
user visits the site directly by clicking on a link or typing its web address. By limiting calls to third-party websites, Internet Explorer 9 limits the information these
third-party sites can collectwithout relying on the third-party sites to read, interpret, and honor a do-not-track signal. At the same time, Tracking Protection Lists
can include OK to call entries that permit calls to specific sites, which allows consumers to create exceptions in a given list.
The Tracking Protection feature is highly customizable and can be adapted to specific user preferences because anyone on the Web (including consumer groups and
privacy advocates, enterprises, security firms, and consumers) will be able to create
and publish Tracking Protection Liststhey are simply files that can be uploaded
to a website and made available to others via a link. Tracking Protection also supports user control: consumers can create or subscribe to more than one list if they
wish, they can subscribe and unsubscribe to lists as they see fit, and a decision to
subscribe to a list or lists will enable Tracking Protection across all browsing sessions until the consumer chooses to turn it off. Finally, Tracking Protection was designed with security in mind: because the Web evolves over time and third parties
might migrate to new domain names, Internet Explorer 9 will automatically check
for updates to a consumers lists on a regular basis, helping ensure that the lists
address the latest privacy and security threats.
V. A Role for Consumer Education
We agree with the FTC and the Commerce Department that there is a need for
greater consumer education to increase consumer understanding of data practices
and their privacy implications.9 At Microsoft, we recognize that it is crucial to engage and educate consumers, to give them a voice and build a bridge to mutual understanding and benefit. That is why we provide consumers with clear information
about our own practices and, where appropriate, offer choices about what data will
be collected and how it will be used.
Microsoft was one of the first companies to adopt layered privacy notices. The
Microsoft Online Privacy Statement provides consumers with the most important information about our privacy practices in a concise, one-page upfront summary with
links to additional layers that describe in more detail our data collection and use
practices, including the concepts of purpose specification and use limitation. Moreover, as noted above, we offer consumers easy ways to learn about online behavioral
advertising and the privacy practices associated with the particular advertisements
they receive, and to opt-out of behavioral advertising if they so choose.
We have also partnered with consumer advocates and government agencies to develop educational materials on consumer privacy and data security, such as:
National Cyber Security Alliance (NCSA). Microsoft is part of this nonprofit
public-private partnership that offers online safety and security information to
the public on the http://www.staysafeonline.org website and through educational efforts such as National Cyber Security Awareness Month.
GetNetWise. Microsoft supports this public education organization and website
(www.getnetwise.org), which offers Internet users resources for making informed
decisions about safer Internet use.
Internet Keep Safe Coalition (www.ikeepsafe.org). Microsoft is a part of this
partnership of Governors, attorneys general, public health and educational professionals, law enforcement, and industry leaders working together for the
health and safety of youth online.
Stop. Think. Connect (http://safetyandsecuritymessaging.org). Microsoft and a
host of other organizations support this online safety campaign that promotes
greater awareness and safer behavior on the Web.
We believe that such initiatives are important for ensuring that consumers understand the importance of protecting their privacy and security online, and are
equipped with the tools to do so.
VI. Conclusion
Thank you for extending us an invitation to share our experience and recommendations with you. We commend the Committee for holding this hearing
today, and we look forward to working with you to craft meaningful privacy protections that provide transparency, control, and security in a way that honors individ9 See
VerDate Nov 24 2008
06:38 Mar 19, 2012
FTC Staff Report 7879; Commerce Report 3136.
Jkt 073308
PO 00000
Frm 00044
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
41
uals privacy expectations, complements existing technological and industry-based
solutions, and promotes innovation.

Mr. Montgomery?
STATEMENT OF JOHN MONTGOMERY,
CHIEF OPERATING OFFICER, GROUPM INTERACTION
Mr. MONTGOMERY. Senator Pryor, members of the Committee,

good morning and thank you for the opportunity to testify.
My name is John Montgomery. Im the Chief Operating Officer
of the North American operations of GroupM Interaction. GroupM
is the worlds leading, full service media investment operation employing over 17,000 employees in 81 countries. Our clients are
some of the biggest brand advertisers in the world who we advise
on where to place advertisements most effectively.
I begin my remarks where I believe the Committees examination
should begin with a review of the tremendous benefits provided by
online advertising. While the Internet has revolutionized our lives
in extraordinary and exciting ways and advertising is the fuel for
the Internet economic engine. Behavioral advertising, also called
interest based advertising, is an essential practice that delivers advertising based on consumer preferences or interests as inferred
from data about online activities.
For example if a browsers activity suggested the user has a new
baby we can show offers for baby products rather than retirement
homes or sports cars. Consumers find such advertisements more
relevant than random messages and advertisers are more likely to
attract consumers that are interested in their products and services.
We at GroupM and our clients strongly believe in protecting consumer privacy. Its not only the right thing to do, but its good for
business. And Im excited to share with the Committee the work
that weve done to make sure that the consumers have both transparency and control to exercise their preferences in regard to online
behavioral advertising.
GroupM has participated in an unprecedented cross industry effort by leading trade associations and companies that responds to
the FTCs report that calls for self regulation on online behavioral
advertising. This effort is being spearheaded by the leading associations that collectively represent the key elements of the Internet
ecosystem, more than 5,000 companies in all. The FTC report set
out a roadmap of key elements that should be included in self-regulation including transparency, consumer control and data security.
And the major component of the program is the use of an icon that
informs consumers that interest based advertising is occurring.
And to help create this icon GroupM mobilized our market leading advertising teams to invest the same design, testing, and market research in this icon as we would use for our Fortune 500 clients. Let me briefly show you how the principle works from a consumers perspective. If I could refer you to the boards on my right.
Aboutads.info is a simple and effective one stop platform for
consumers to opt-out of having their information collected and used
for behavioral advertising purposes. Consumers can opt-out with
the click of one button with respect to all participating companies.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00045
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
42
And GroupM and hundreds of leading companies are working to
advance compliance with the program.
Two other major elements of our implementation effort are education and enforcement. GroupM has partnered with the Interactive Advertising Bureau on a Privacy Matters education campaign to inform consumers about how they can manage their online
experience and to explain how advertising supports the Internet.
To date more than 600 million impressions are being delivered as
part of this campaign.
And finally I want to emphasize that companies will be held accountable for complying with the principles just as the FTC recommended. All of us in advertising have a strong incentive to
maintain accountability in order to foster consumer trust. The principles are enforceable through programs being administered by the
Direct Marketing Association and the Council of Better Business
Bureaus. These organizations have long-standing effective and respected compliance programs that they are leveraging to cover the
principles. Any company that claims to comply but fails to do so
could face FTC enforcement for deceptive acts or practices.
And whilst our programwhilst our progress has been exciting,
our work continues. One of the major benefits of industry self regulation is the ability to respond quickly to changes to technology and
business practices. For example recently, some policymakers have
raised concerns that data collected for advertising purposes could
be used as a basis for employment, credit or health insurance eligibility decisions.
I want to emphasize that these are hypothetical concerns that do
not reflect actual business practice. But nevertheless industry is
stepping forward to address these concerns. And were expanding
our guidelines to clarify and ensure that such practices are prohibited and will never occur.
The self regulatory principles owe much to the guidance of federal policymakers which have strengthened our independent commitment to consumer privacy and uniform choice. Now as you proceed in this dialogue its vitally important to avoid mixed messages
to consumers that could inhibit them from exercising their choice
to the self-regulatory tool thats already available. We have to ensure that theres a single standard to make it simple for consumers. We do not want to add confusion to an already complex
arena. Now I want to make it clear that we are working with a
browser company such as Microsoft and Firefox and even Chrome,
who are a part of the coalition to incorporate self-regulation and Do
Not Track together.
So in conclusion, we believe that the program creates the right
framework that encourages both innovation and privacy bringing
the benefits for online services and privacy protection to consumers. Thank you, and I look forward to any questions.
[The prepared statement of Mr. Montgomery follows:]
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00046
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
43
PREPARED STATEMENT OF JOHN MONTGOMERY, CHIEF OPERATING OFFICER,
NORTH AMERICA, GROUPM INTERACTION
I. Introduction
Chairman Rockefeller, Ranking Member Hutchison, and members of the Committee, good morning and thank you for the opportunity to speak at this important
hearing.
My name is John Montgomery and I am the Chief Operating Officer for the North
American operations of GroupM Interaction (GroupM). Headquartered in New
York City, GroupM is the worlds leading full-service media investment management operation, employing over 17,000 employees in 81 countries. GroupM is the
parent company of WPPs market-leading media communications agencies, including
Maxus, MEC, Mindshare and Mediacom. Our clients are major global companies
with brands that are household names. In the simplest terms, we advise clients on
how to use advertising and where to place advertisements most effectively. Our
business is built on the belief that both consumers and companies benefit when advertising provides timely and relevant information to those consumers who are most
likely to be interested. While this philosophy is not new or unique to the Internet,
online advertising has given us new tools to help our clients.
We at GroupM strongly believe in protecting consumer privacy. It is not only the
right thing to do, but it is also good for business. We want to build consumer trust
in the online experience, and therefore we believe that consumers should be able
to choose whether and how their data is collected or used for online behavioral advertising. Our clients also want to provide these choices to maintain the confidence
of their customers. Global companies work hard every day to protect their brands,
and they recognize that their customers may have different preferences about online
advertising.
My testimony today will describe how we have worked successfully with other industry leaders to give consumers these choices, and to create easy, uniform, and effective tools for them to exercise their choices. Our contributions illustrate the industry-wide collaboration and support behind this self-regulatory effort, which are
truly impressive given our highly competitive marketplace.
II. Online Advertising Benefits Consumers and the Economy
I begin my remarks where I believe the Committees examination should begin
with a review of the tremendous benefits provided by online advertising, especially
behavioral advertising.
It is impossible to overstate the economic importance of the Internet today. Even
in difficult times, e-commerce has continued to grow, thrive, and employ millions of
Americans. The Internet is now the focus and a symbol of the United States famed
innovation, ingenuity, inventiveness, and entrepreneurial spirit, as well as the venture funding that follows. The Internet has already revolutionized our lives, and it
continues to evolve in extraordinary and exciting ways. And as the Department of
Commerce recently concluded, thus far the United States approach to Internet policy has enabled the digital economy to flourish.1
Advertising helps to fuel the Internet economic engine. Revenues from online advertising support and facilitate e-commerce and subsidize the cost of content and
services that consumers value, such as online newspapers, blogs, social networking
sites, e-mail, and phone services. Because of advertising support, consumers can access a wealth of online resources for free or at a low cost. These resources have
transformed our daily lives. Imagine parents who discover their child is sick at two
oclock in the morning. They can go online to look up basic medical information or
find directions to the nearest doctors office or emergency room. The Internet is now
so established that we tend to take these resources for granted, but in fact they are
largely supported by advertising.
Online advertising is equally vital to established businesses and new start-up
companies. A study commissioned by the Interactive Advertising Bureau estimated
that some three million Americans are employed due to the advertising-supported
Internet.2 Online advertising also fosters competition by making it easier for emerg1 Department of Commerce Internet Policy Task Force, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework at 1 (December 2010) (hereinafter
Commerce Policy Framework), available at http://www.commerce.gov/sites/default/files/documents/2010/december/iptf-privacy-green-paper.pdf.
2 Hamilton Consultants, Inc. with Professors John Deighton and John Quelch, Economic Value
of the Advertising-Supported Internet Ecosystem, at 4 (June 10, 2009), available at http://
www.iab.net/media/file/Economic-Value-Report.pdf.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00047
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
44
ing businesses to reach potential customers. In turn, these entrepreneurs spur existing market leaders to continue innovating.
Behavioral advertising is an essential form of online advertising. As the Committee knows, behavioral advertising, also called interest-based advertising, is delivered based on consumer preferences or interests as inferred from data about online
activities. Consumers are likely to find behavioral advertisements more relevant
than random messages, and advertisers are more likely to attract consumers that
are interested in their products and services. For example, if a browsers activity
suggests that the user has a new baby, we can show offers for baby products rather
than retirement homes or sports cars. Websites also benefit because behavioral advertising garners better responses, allowing websites to earn more revenueand
support more content and servicesfor fewer advertisements.
At the same time, we recognize and respect that some consumers may prefer not
to receive behavioral advertising. I am excited to share with the Committee the
work we have done to make sure that consumers have both transparency and control to exercise their preferences in regard to online behavioral advertising.
III. Industry Self-Regulatory Principles Follow the Federal Trade
Commission Roadmap
In February 2009, after an extended deliberative process, the Federal Trade Commission published a Staff Report that called upon industry to redouble its efforts
to create self-regulation of online behavioral advertising.3 The report set out a roadmap of several key elements that should be included in self-regulation, such as
transparency, consumer control, and data security. The Commission also made clear
that consumer tools to exercise choice should be easy to use, effective, uniform, and
ubiquitous.
In the two years since the Commissions Staff Report, GroupM is pleased to have
participated in an unprecedented cross-industry effort by leading trade associations
and companies to respond to the Federal Trade Commissions endorsement of selfregulation. This effort has been spearheaded by the American Association of Advertising Agencies, the Association of National Advertisers, the Interactive Advertising
Bureau, and the Direct Marketing Association, and also includes the American Advertising Federation, the Network Advertising Initiative, and other leading industry
associations that represent components of the Internet ecosystem. These associations and the companies participating in the self-regulatory effort collectively account for the vast majority of online behavioral advertising. Following the roadmap
set out by the Commission, we have worked diligently to develop standards, launch
innovative tools, and educate consumers to make sure they have the choices they
deserve.
In July 2009, just 5 months after the Federal Trade Commissions guidance, our
coalition announced a groundbreaking set of Self-Regulatory Principles for Online
Behavioral Advertising.4 The Principles apply across the entire online advertising
ecosystem. They address all of the key elements called for in the Federal Trade
Commissions 2009 Staff Report, namely:
Consumer education,
Enhanced notice of data practices,
Innovative choice mechanisms,
Data security,
Sensitive data protection,
Consent for retroactive material policy changes, and
Enforcement.
The Self-Regulatory Principles prescribe expectations for companies in each of
these areas. They provide uniform definitions for key terms and include detailed
Commentary to aid compliance.
GroupM believes that the Self-Regulatory Principles are comprehensive yet flexible enough to respond to the complex and rapidly evolving online advertising ecosystem. Most importantly, they are supported by all of the major industry stakeholders. We were pleased, therefore, that the Commerce Departments recent draft
3 Federal Trade Commission Staff Report, Self-Regulatory Principles for Online Behavioral Advertising at 47 (February 2009), available at http://www.ftc.gov/os/2009/02/P085400behav
adreport.pdf.
4 American Association of Advertising Agencies, Association of National Advertisers, Direct
Marketing Association, Interactive Advertising Bureau, and Council of Better Business Bureaus,
Self-Regulatory Principles for Online Behavioral Advertising (July 2009), available at http://
www.aboutads.info/resource/download/seven-principles-07-01-09.pdf.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00048
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
45
framework on privacy and innovation also favors voluntary and enforceable industry
codes like our initiative.5
IV. Implementing Self-Regulation: Uniform Choice, Consumer Education,
and Enforcement
Since releasing the Principles in July 2009, GroupM and other industry leaders
have made significant investments in implementing the Principles across the Internet. A timeline of milestones is attached (Attachment 1). The development and
launch of our Advertising Option Icon has been a key focus of this implementation
phase, and I am very proud of GroupMs important contributions in this area. Advertisers who are adopting this icon for their advertisements are finding that the
icon enhances a companys brand relating to its privacy stance. The icon is a winwin for consumers and businesses.
The Federal Trade Commission made clear, and we agree, that consumers should
get notice of behavioral advertising practices that is uniform, ubiquitous, and just
in time to make decisions. For uniformity, we also agreed that this notice should
use a special graphic icon that would be memorable to consumers. To assist in the
creation of this icon, GroupM mobilized our market-leading advertising teams to invest the same design, testing, and market research in this icon that we would use
for our Fortune 500 clients. Our work was the basis for the Advertising Option Icon
(Attachment 2), a simple but attention-grabbing graphic that we hope will become
as universally familiar and recognizable as the recycling logo.
To make sure this notice is ubiquitous and just in time, as recommended by the
Federal Trade Commission, we reached the innovative solution of embedding the
icon where data is collected and used for online behavioral advertising.
Let me briefly review how the Principles work from a consumers perspective:
First, an advertisement covered by the Principles is identified with the Advertising Option Icon, which appears in the advertisement right where the consumer will notice it (Attachment 3). The icon launched last December and has
already been served in billions of advertisements, and we expect to reach the
milestone of one trillion impressions by the end of this year.
Clicking the Advertising Option Icon brings up a brief statement about online
behavioral advertising, with a link to more information and opt-out choices.
Interested consumers can click this link to visit AboutAds.info, an industrysponsored website that provides consumer education (Attachment 4) and, most
importantly, consumer choice (Attachment 5).
AboutAds.info is a simple and effective one stop platform for consumers to optout of having their information collected and used for behavioral advertising purposes. Consumers can opt-out with respect to all participating companies, or they
can pick and choose which companies may collect and use their data.
The Federal Trade Commission has recently referred to this type of process as a
Do Not Track system. We believe that our program provides uniform notice and
choice. Regardless of what terminology is used, our self-regulatory tools meet all
of the policy goals that the Commission has publicly set forth. As implementation
proceeds, no matter where consumers go online, they will see one memorable icon
that leads to the same familiar and easy-to-use choice mechanism.
Companies can easily implement this uniform process and become compliant with
the Self-Regulatory Principles by working with approved providers Evidon,
TRUSTe, and DoubleVerify, which offer technical solutions for compliance. GroupM
is working with Evidon to advance compliance in all of our offerings and agencies.
Hundreds of leading companies are already compliant or in the process of complying.
Two other major elements of our implementation effort are education and enforcement. GroupM is strongly committed to consumer education and has made significant investments in this area. Our goal is to build consumer trust by helping consumers to understand and exercise their choices.
First, we have partnered with the Interactive Advertising Bureau on the Privacy
Matters educational campaign to inform consumers about how they can manage
their online experience and to explain how advertising supports the Internet. For
this campaign, we used catchy and controversial slogans like Advertising Is
Creepy to appeal to the consumers most interested in learning more. As part of this
unparalleled effort, the Interactive Advertising Bureaus online publisher members
have delivered close to 600 million online public service announcements. These announcements link to the Privacy Matters website (http://www.iab.net/
5 Commerce
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
Policy Framework at 5, 4144.
PO 00000
Frm 00049
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
46
privacymatters/), which features fun educational modules on advertising practices
and safe Web browsing. Through January 2011, the results of this campaign have
been excellent, with a click-through-rate that is substantially out-performing the
standard range for public service campaigns.
GroupM has also supported the industry coalition effort to publicize the Self-Regulatory Principles and associated tools for businesses and consumers. This multifaceted campaign, which supplements the consumer notice provided by the Advertising Option Icon, has included the launch of the AboutAds.info website, community outreach by the participating trade associations, a series of educational
webinars to assist businesses with coming into compliance with the Principles, and
the delivery of additional online public service announcements.
Finally, I want to emphasize that companies will be held accountable for complying with the Principles, just as the Federal Trade Commission recommended. The
Principles are enforceable through programs being administered by the Direct Marketing Association and the Council of Better Business Bureaus.6 These organizations have longstanding, effective, and respected compliance programs that they are
leveraging to cover the Principles. The Council of Better Business Bureaus has created a new program and hired additional employees to administer the Principles.
All of us in the advertising industry have a strong incentive to maintain accountability in order to foster consumer trust. In addition, any company that claims to
comply, but fails to do so, could face Federal Trade Commission enforcement for deceptive acts or practices.
V. The Future of Self-Regulation
As I explained, the Self-Regulatory Principles include all of the elements set out
in the Federal Trade Commissions 2009 roadmap. Less than 2 years after the Principles were announced, and thanks to strong investment by the business community, our implementation phase is gaining strong momentum. Every day, we are
adding more members to the compliance programs, putting more Advertising Option
Icons out on the Internet, and reaching more consumers with uniform notice and
choice.
While our progress has been exciting, our work continues. One of the major benefits of industry self-regulation is its ability to respond quickly to changes in technology and business practices. For example, some policymakers have raised concerns
that data collected for advertising purposes could be used as a basis for employment, credit, or health insurance eligibility decisions.7 I want to emphasize that
these are hypothetical concerns that do not reflect actual business practices. Nevertheless, industry is stepping forward to address these concerns and we are expanding our guidelines to clarify and ensure that such practices are prohibited and will
never occur. This type of adaptability is essential to avoid stifling innovation in the
complex and dynamic Internet environment. We welcome additional input from policymakers and we are committed to examining any future concerns that may arise.
The Self-Regulatory Principles owe much to the guidance of Federal policymakers,
which has strengthened our independent commitment to consumer privacy and uniform choice. As we proceed in this dialogue, it is vitally important to avoid confusing
or mixed messages to consumers that could inhibit them from exercising their
choices through the self-regulatory tool that is already available. It is equally important to maintain incentives for the business community, which has already invested
so much in self-regulation, to come into compliance with the Principles. GroupM and
our partners look forward to continuing our efforts and working cooperatively with
the Committee, the Federal Trade Commission, and the Department of Commerce
as we move forward with implementing the Self-Regulatory Principles for Online
Behavioral Advertising and discussing these important issues. We believe that this
program creates the right framework that encourages both innovation and privacy,
bringing the benefits of online services and privacy protection to consumers.
6 Direct Marketing Association Press Release, DMA Launches Enforcement for Online Behavioral Advertising (January 31, 2011); Council of Better Business Bureaus Press Release, Council Steps Up Enforcement of Interest-Based Advertising, (March 7, 2011).
7 Representative Jackie Speier, Do Not Track Our Online Data, Politico (March 4, 2011),
available at http://www.politico.com/news/stories/0311/50614.html; Jon Leibowitz, FTC
Chairman: Do Not Track Rules Would Help Web ThriveOnline commerce and personal privacy are not incompatible, U.S. News (January 3, 2011), available at http://www.usnews.com/
opinion/articles/2011/01/03/ftc-chairman-do-not-track-rules-would-help-web-thrive-jon-leibow
itz.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00050
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
47
***
Thank you for inviting me to share GroupMs perspective on The State of Online
Consumer Privacy. I look forward to answering any questions that the Committee
may have.
Attachment 1: Timeline of Industry Effort to Develop and Implement SelfRegulatory Principles for Online Behavioral Adverting
VerDate Nov 24 2008
December 2007
Federal Trade Commission staff releases proposed principles to guide the

development of industry self-regulation in the area of online behavioral advertising.
April 2008
Industry leaders file comments on Federal Trade Commissions proposals

and convene task force to examine existing self- regulatory efforts.
October 2008
Industry coalition begins drafting new self-regulatory guidelines.
February 2009
Federal Trade Commission releases final Staff Report on Self-Regulatory

Principles for Online Behavioral Advertising
July 2009
After building support among industry stakeholders, coalition releases

cross-industry Self-Regulatory Principles for Online Behavioral Advertising
(Principles) that correspond to the guidelines in the FTC staff report.
August 2009
Coalition turns to enforcement, operational implementation, and educational planning.
November 2009
Interactive Advertising Bureau and Network Advertising Initiative lead effort to develop technical specifications for implementing enhanced notice
through a link in or around an advertisement.
December 2009
Coalition launches Privacy Matters education campaign, which has been

designed to educate consumers about how they can manage their online experience and to help consumers better understand and appreciate how online advertising supports the Internet.
January 2010
Coalition announces intention to provide enhanced notice to consumers

through a link/icon embedded in online behavioral advertisements (or, if
such notice is not delivered, on the Web page where the behavioral advertisement occurs).
March 2010
Coalition commences effort to operationalize the Principles, including providing business education webinars, trademarking distinctive Advertising
Option Icon, and developing an industry- wide Website to deliver consumer
education, provide information concerning parties engaged in online behavioral advertising, and offer consumer choice.
October 2010
AboutAds.info Website launches. Companies may register to use the Advertising Option Icon and acquire specific technical guidance for the icons implementation and use.
Coalition selects the first approved provider to offer technical solutions for
compliance with the Principles.
November 2010
Coalition launches consumer-facing AboutAds,info Consumer Opt-Out Page,

where consumers may easily opt-out of some or all of the interest-based advertisements they receive.
December 2010
Coalition selects two additional approved provider vendors.
January 2011
Direct Marketing Association enforcement program goes into effect.
February 2011
Principles and Communication Advisory Committee convenes to consider

application of the Principles to mobile platforms, as well as ways to encourage international adoption of the icon and standards consistent with the
Principles.
March 2011
Council of Better Business Bureaus enforcement program goes into effect.

Accountability program selects vendor to provide technical platform to monitor participating companies compliance with the Principles.
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00051
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
48
Attachment 2. Advertising Option Icon
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00052
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
316GRPM1.eps
316GRPM2.eps
Attachment 3. Sample Advertisement with Embedded Advertising Option

Icon
49
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00053
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
316GRPM3.eps
Attachment 4. About Ads.info Home Page
50
Attachment 5. AboutAds.info Uniform Consumer Choice Page

Mr. Soltani?
STATEMENT OF ASHKAN SOLTANI,
INDEPENDENT PRIVACY RESEARCHER AND CONSULTANT
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00054
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
316GRPM4.eps
Mr. SOLTANI. Thank you. Senator Pryor and distinguished members of the Committee, thank you for the opportunity to testify
about online consumer privacy and the state of web tracking. My
name is Ashkan Soltani. Im a technology researcher and consultant specializing in privacy and security on the Internet.
As background I served for a year as a technologist in the Division of Privacy and Identity Protection at the Federal Trade Com-
51
mission. I was also the primary technical consultant on the Wall
Street Journals What they know series. I should note the opinions here are my own and dont reflect the views of my previous
employers.
In my testimony I will describe findings from my research about
the pervasiveness of online tracking. I will discuss the extent to
which consumers can control unwanted tracking. I will conclude
with a description of the proposed Do Not Track mechanisms.
The practice of using third party services is very common on the
web today. In 2009 I co-authored a study where we found an average of 12 third party trackers on the top 100 most visited websites.
One site used roughly 100 different trackers. That means when a
user visits that website 100 unseen entities are notified of that
visit.
The very reason why online tracking is effective and why it
raises privacy concerns is that the third-party entities can monitor
users behavior across multiple, unrelated websites. In our study
one advertising service could track a users web browsing activity
down to approximately 90 percent of the websites weve examined.
This company is not alone in its reach. Widgets from a single social
networking company currently gather data across several million
websites. These companies that were positioned to infer a great
deal more than just the users interests in automobiles or sporting
goods. This unique vantage point enables them to collect the vast
majority of a users web browsing activity.
Its important to point out that online tracking is not limited to
desktop computers. Mobile devices and smartphones raise unique
privacy concerns because people always have them on their persons. Application and services running on these devices may have
the ability to access precise location information providing third
parties with intimate details about a users habits.
Every major web browser includes a patchwork of privacy-enhancing technologies that are not enabled by default and that are
often difficult to configure. Worse yet, even when properly configured online tracking companies have consistently devised ways to
circumvent their function. As a result browser vendors and thus
consumers are losing this game of privacy Whack-a-Mole.
Many ad services seek to temper privacy concerns by offering
users a way to opt-out of behavioral advertising. However these
opt-outs typically only allow users to opt out of receiving targeted
ads not opt out of the underlying tracking fully. I dont think this
is what most consumers would expect.
Finally, not all companies that engage in online tracking offer an
opt-out. By my count only about a quarter of the online trackers
Im aware of have existing opt-out mechanisms.
Todays consumer choice mechanisms fail to provide users with
meaningful control. Advocates and industry have been working to
establish an easy to use tool to control online tracking commonly
referred to as Do Not Track. Two separate but complementary approaches have been now advanced. And while I wont discuss them
in technical detail here, Im happy to answer any questions you
might have about them.
To conclude, online tracking is pervasive on the Internet and its
an issue thats often difficult for users to understand. Even when
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00055
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
52
they do realize they are being tracked theres often very little that
can be done. Consumers need more transparency into who is tracking them online, what information is being collected and how this
information is being used, shared and sold.
There is a clear need for better privacy controls to prevent unwanted tracking. And industry has not delivered. To be effective
privacy protections online will likely require both technology and
policy working in tandem.
Thank you for inviting me today. And I hope that my testimony
here is helpful. Im grateful that the Committee has invited a technologist to participate since these issues can be deeply technical in
nature. I look forward to helping you understand these nuances
that make online tracking such an interesting and yet complex
issue.
Im happy to answer any questions.
[The prepared statement of Mr. Soltani follows:]
PREPARED STATEMENT OF ASHKAN SOLTANI,1
INDEPENDENT PRIVACY RESEARCHER AND CONSULTANT
Chairman Rockefeller, Ranking Member Hutchison, and the distinguished members of the Committee, thank you for the opportunity to testify about online consumer privacy and the state of tracking on the Web today.
My name is Ashkan Soltani. I am a technology researcher and consultant specializing in consumer privacy and security on the Internet. I have more than 15 years
of experience as a technical consultant to Internet companies and Federal Government agencies. I received my Masters degree in Information Science from the University of California at Berkeley, where I conducted extensive research and published two major reports on the extent and means of online tracking. Last year, I
served as a staff technologist in the Division of Privacy and Identity Protection at
the Federal Trade Commission on investigations related to Internet technology and
consumer privacy. I have also worked as the primary technical consultant on the
Wall Street Journals What They Know series investigating Internet privacy issues
on the ground.
I have been asked to testify about the current state of online tracking from a technical perspective. I will describe the basics of how online tracking works and discuss
some of my research that demonstrates how pervasive tracking is online today. I
will then discuss the extent to which consumers are actually aware that they are
being tracked online and whether they are able to meaningfully control unwanted
tracking with existing industry-provided and browser-based mechanisms. Finally, I
will discuss the Do Not Track proposals in light of these findings.
A. How Online Tracking Works
As an illustrative example to explain how consumers are tracked online, we can
step through a typical Web browsing session. A user wants to look up information
about cholesterol on WebMD, so he types www.webmd.com into his browsers location bar and navigates to a specific page on WebMDs site focused on cholesterol.
The browser contacts the WebMD server to retrieve the contents of the page. Much
of the pages content will be provided directly by WebMD itself, but some of the content may originate from other entities, such as an advertisement provided by an online advertising service such as Googles DoubleClick. As a result, although the
browsers location bar will show www.webmd.com, many other third party entities
may have a presence on the website, and often it is unclear to the user which content comes from which provider.
A useful analogy may be to imagine a picture frame that has slots to display a
number of different photos. WebMD provides the frame and a few of the photos,
while the rest of the photos are provided by third parties that WebMD has
partnered with. This practice of embedding content from third party entities is nearly universal on the Web today. As I will explain below, it is primarily these third
party entities that are capable of tracking users as they browse the Web.
1 My oral and written testimony here today to the Committee represents my own personal
views, and does not reflect the views of any of the organizations I have consulted or worked
for in the past.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00056
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
53
In this example, the WebMD page on cholesterol includes a third party online advertisement that is displayed at the top of the page. As the web browser fetches the
ad, two things relevant to tracking typically occur. First, the company providing advertisements can attempt to uniquely identify the browser using a variety of technical mechanisms, which I will discuss below. The simplest and most common technique is to use a browser cookie. In this context, a cookie is a file containing a
unique identifier that is placed on the users computer by the third party ad service
and is transmitted back to the service upon each subsequent ad request.2 Second,
the ad service can record detailed information about this interaction. The ad service
may log the date and time of the ad request, which ad was displayed, and perhaps
the details about the content of the WebMD page on which the ad was shown. Most
importantly, the ad service can link all this information to the unique identifier, and
collect this information together in a consumer data base.
Some time later, the user checks the weather by browsing to www.weather.com.
It turns out that the same third party ad service used by WebMD is also providing
ads for the Weather Channels site. As an ad loads in the margins of the Washington, D.C. forecast page, the ad service can again uniquely identify the users
browser, using the same cookie file that was previously stored. The ad service can
now tie the users browsing activity between the two sites togetherthe same
browser that previously accessed health information about cholesterol also looked up
the weather forecast in Washington, D.C. As the user continues to browse, this ad
service can continue to follow the users activity on the websites on which it has
a presence. These activities are the essence of online tracking.
Web browsing interactions are generally described as being in one of two categories, first party or third party. A first party is typically defined as an entity
whose site the user knowingly visits and whose Web address appears in the browsers location barin the scenario above, WebMD and then later, the Weather Channel. Users typically interact with a first party by directly typing its Web address
into the location bar or by browsing to it from another site, for instance, by following
a link from a search engine or a social network.
A third party is an entity that provides content that is included on a first party
site, like the ad service in our earlier scenario. While some third party interactions
are visible to the user, such as a displayed ad or an embedded video, it may not
be clear that this content is being provided by someone other than the site they are
visiting. However, other third party interactions may be invisible to the user. For
example, a web bug is an imperceptible image placed on first party sites, but operated by third parties, for the express purpose of invisibly tracking users.3 These
third party tracking objects can only appear on a site with the knowledge and consent of the first party. As an example, ads from Google DoubleClick will only appear
on Weather Channel pages if the Weather Channel explicitly decides to include
DoubleClick on its site.
Note also that the same business entity can be both a first party or a third party,
depending on the context. For instance, if a user browses directly to
www.youtube.com to watch online videos, YouTube is a first party. But, if a first
party site such as CNN.com embeds a YouTube video into one of its stories,
YouTube is now a third party.
In our scenario, the ad service uses a standard browser cookie to link together
two separate user interactionsone on WebMD and the other on the Weather Channel. Even though the cookie by itself does not usually identify the user by name,
third party trackers are able to build a browsing profile that consists of data from
numerous Web interactions over time from the same user.4 This browsing profile
has the potential to reveal quite a bit of information about the users real world
identity.5
Despite some claims that these collected browsing profiles are anonymous, recent computer science research suggests that it is often quite easy to re-identify
2 Cookies are text files that can store various types of information. For the purposes of tracking, they typically contain unique descriptors such as user=1234567890 or e-mail=john.doe
@host.com.
3 Web bugs are sometimes also referred to as tracking pixels or web beacons. Web bugs are
typically used to provide websites with information that will help them understand and optimize
web usage, and typically track users.
4 Of course, some browsers may be shared by multiple users, but often browsers will be used
primarily by a single user. This is particularly salient in the case of mobile phones, where the
sharing of devices is less common.
5 Each data point may also reveal the time of each site access and in many cases the users
approximate geographic location based on his IP address. More advanced tracking techniques
on a single page may be able to determine exactly how the user moves his mouse on the page
or what text on the page gets highlighted and copied.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00057
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
54
datasets that contain user information.6 As the number of data points in a browsing
profile increases, so too does the possibility that it can eventually be re-identified
to reveal the users actual identity, such as a name, e-mail address, or other personally identifiable information. For example, when a user purchases a product online,
the merchant could decide to share the users e-mail addresscollected in the billing
processwith a third-party ad service that is present on the purchase page. This
issue can also arise with the use of social networks, whereby identifying information
may leak to third party ad services.7
1. The State of Online Tracking
The practice of using third party services to add tracking and other functionality
to a website is quite common. In our Berkeley KnowPrivacy study, we found an average of 12 trackers present on each of the top 100 most popular websites, with one
having as many as 100 different trackers over the course of a month.8 This means
that when a user visits that website, potentially 100 entitiesnearly all unseen by
the userwill learn about the visit.
The very reason why online tracking is both effective and why it raises privacy
concerns is that third party entities can track consumers across multiple unrelated
first party websites. In our Berkeley study, we also found that some third party
trackers have an extensive reach across a large number of first party sites. One
advertising company was able to monitor activity on 91 of the top 100 most popular
sites, as well as 88 percent of 350,000 sites sampled in our dataset, as of March
2009.9 In 2010, a leading social network announced that their third party sharing
widgets were present on 2.5 million websites10 and growing at a rate of 10,000 sites
per day.11 In both these examples, the presence of third party objects generates a
steady stream of data that flows to a single entity. These uniquely pervasive positions give these companies the capacity to infer a great deal more than just a users
interest in automobiles or sporting goods. Their tracking technologies reach the vast
majority of every users Web browsing activity.
It is important to point out that online tracking is not limited to Web browsers.
Consumers are connecting to the Internet using a variety of devices that extend beyond what we consider a typical PC-and-browser setup. Mobile phones, televisions,
set top boxes (such as a Tivo or a cable box), video game consoles and even some
automobiles are now equipped with Internet connectivity and can leverage Web
services which include online advertisement. Some of these platforms also allow applications written by third parties, the most prominent example being app stores
on mobile smartphones.12 Mobile devices, in particular, raise unique privacy concerns because consumers carry them nearly all of the time.13 As such, applications
and services running on the phone may have the ability to access precise geolocation
information, using GPS technology, to learn even more intimate details about a consumers physical habits.
6 Narayanan, A., & Shmatikov, V. (2008). How to Break Anonymity of the Netflix Prize
Dataset. In Proc. of 29th IEEE Symposium on Security and Privacy, Oakland, CA, May 2008,
pp. 111125. and Ohm, P. Broken Promises of Privacy: Responding to the Surprising Failure
of Anonymization (2009, August 13). University of Colorado Law Legal Studies Research Paper
No. 0912. Available at SSRN: http://ssrn.com/abstract=1450006.
7 Krishnamurthy, B. and Willis, C. (2009). On the leakage of personally identifiable information via online social networks. In Proceedings of the 2nd ACM workshop on Online social networks (WOSN 09). ACM, New York, NY, USA, 712. DOI=10.1145/1592665.1592668 from
http://doi.acm.org/10.1145/1592665.1592668.
8 Gomez, J., Pinnick, T., and Soltani, A. (2009, June 1). KnowPrivacy available at http://
knowprivacy.org/report/KnowPrivacylFinallReport.pdf, p.26.
9 Id. p. 27.
10 Constine, J. (2011, February 27). All of Facebooks Like Buttons on Third-Party Sites Now
Publish a Full News Feed Story. Inside FacebookTracking Facebook and the Facebook Platform for Developers and Marketers from http://www.insidefacebook.com/2011/02/27/like-button-full-story/.
11 Parr, B. (2010, October 26). 10,000 Websites Integrate with Facebook Every Day. Social
Media News and Web TipsMashableThe Social Media Guide. from http://mashable.com/
2010/10/26/10000-websites-integrate-with-facebook-every-day/.
12 The Wall Street Journal reported that 47 of the 101 third party mobile applications tested
transmitted location to third parties. 56 of the same apps transmitted unique device identifiers
(UDIDs) which act similar to permanent cookies, and which users currently have no control
over. See Thurm, S. (2011, December 17). IPhone and Android Apps Breach PrivacyWSJ.com.
The Wall Street Journal from http:// online.wsj.com/article/SB1.
13 Three in five mobile phone owners say they carry their phones at all times, even inside the
home. See: Stanton, D. (2008, September 8). New Study Shows Mobile Phones Merging New,
Established Roles. Knowledge Networks from http://www.knowledgenetworks.com/news/releases/2008/091808lmobilephones.html.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00058
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
55
2. Existing Privacy Tools are Easily Circumvented
Every major Web browser includes privacy enhancing technologies that can be
used by consumers to limit the extent to which they are tracked online. Unfortunately, these built-in tools, which include private browsing modes and cookie controls, only protect users from some tracking technologies, and do not provide consumers with the privacy protections they may reasonably expect.14
As one example, cookie blocking features in the major Web browsers do not always work in the same way, and even sophisticated users do not fully understand
these intricacies.15 This may cause consumers to have misplaced beliefs about the
extent browsers are protecting them from tracking. But even when consumers do
understand how these features work, sites have consistently devised new ways to
track users and evade the protections of existing privacy tools.
In a study called KnowPrivacy published by my Berkeley colleagues and I in
2009,16 we found that several ad services had deployed a new stealthy technique
to resurrect tracking cookies, even after the user had used the available cookie deletion tools built into his browser. Ad services developed a way to remember the
cookie file using another technologyAdobes Flash Playersuch that they could restore the cookie later, even after the user deleted it. This tracking technologycommonly called Flash cookiesis even more difficult for users to manage with existing
privacy tools, when compared to standard cookie controls.17
Further, some ad services have shifted to new, cutting-edge tracking techniques,
many of which are beyond the control of consumers.18 While these are less well
known, they are no less powerfuland in some cases more powerfulin their ability to track users browsing activities. From a technical perspective, browser vendorsand thus consumersare losing the game of privacy Whack-a-Mole. The ongoing development of new, hidden tracking techniques is far outpacing the ability of
browser vendors to develop and deploy adequate defenses. As a result, consumers
and the privacy controls available to them will likely fail to keep up.
B. Existing Consumer Notice and Choice Mechanisms
The current system of industry self-regulation stresses two complementary approaches regarding online tracking: notice, though privacy policies and in-ad enhancements, and choice, through ad preference managers and industry-provided optout tools.
1. Privacy Policies
For more than a decade, websites have routinely included privacy policies, typically linked to from the bottom of the front page. These documents are often long
and difficult to readmost likely because they are written by lawyers, for lawyers
and have not helped consumers to stay informed about the degree of tracking on14 Soghoian, C. (2010, December 9). Why Private Browsing Modes Do Not Deliver Real Privacy, Internet Architecture Board, Web Privacy Workshop, from http://www.iab.org/about/
workshops/privacy/papers/christopherlsoghoian.pdf.
15 Not all browsers implement third party cookie blocking in the same way. Typically browsers
allow third party cookies by default but if a user elects to configure their browser to block third
party cookies, 3 of the 4 major browsers allow the third party cookies to be read if they were
previously set, such as in a first party context. This is a small technical nuance, but it allows
certain players to proceed as normal with regards to online tracking and potentially cause confusion for consumers as to the degree their privacy is protected. Additionally, it significantly effects whether certain players, i.e., those that consumers have a first party relationship with, receive a competitive advantage over the lesser known websites.
16 Soltani, A., Canty, S., Mayo, Q., Thomas, L., and Hoofnagle, C., Flash Cookies and Privacy
(2009 August 10). Available at SSRN http://ssrn.com/abstract=1446862.
17 Adobe has denounced the use of its Flash technology in order to restore tracking cookies.
Although not yet widely deployed, the company has recently taken steps to work with major
browser vendors in order to move Flash cookie privacy controls directly into the browser settings
and allow users to manage them in a similar way as standard cookies. See Albanesius, C. (2011,
March 8). Adobe Flash Player 10.3 Beta Adds Greater Control OverFlash Cookies PC Magazine. from http://www.pcmag.com/article2/0,2817,2381650,00.asp.
18 In the past year, I have confirmed tracking by third party companies on widely used
websites using mechanisms including but not limited to browser fingerprinting (http://
radar.oreilly.com/2011/03/device-identification-bluecava.html), cache cookies (http://www.
wired.com/epicenter/2009/08/flash-cookieresearchers-spark-quantcast-change/), CSS history
profiling (http://blogs.forbes.com/kashmirhill/2010/11/30/history-sniffing-how-youporn-checkswhat-other-porn-sites-youve-visited-and-ad-networks-testthe-quality-of-their-data/), domain masquerading (http://doi.acm.org/10.1145/1592665.1592668), UDIDs (http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html), and HTML5 storage (http://
www.wired.com/threatlevel/2010/09/html5-safari-exploit/) to track consumers in ways that are
difficult or even impossible to control.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00059
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
56
line.19 Research has also shown that the majority of Americans incorrectly believe
that the phrase privacy policyand its mere presence on websitessignifies that
their information will be kept private.20
While there is much data to suggest that consumers do not actually read or understand privacy policies, even if they did, many existing privacy policies often provide confusing or even conflicting information. In our KnowPrivacy study, we found
that, among the top 50 most popular websites, many sites that claim to not share
information with third parties later disclaim that they do share information with
affiliates, which sometimes number well over 2000 companies.21
2. Enhanced Notice for Online Ads
One emerging self-regulatory measure is enhanced or robust notice for online
ads. The purpose of enhanced notice is to increase transparencydirectly within the
adinto why the particular ad was chosen and what the attached terms and policies are. Although this is a commendable step forward, the question is how many
users will notice. One self-regulatory firm noted that, during the first few months
of the industrys initiative, the notice on only 0.004 percent of enhanced ads were
clicked by users actually clicked through to the detailed explanatory text.22 While
the initiative is in its early days, this calls into question whether enhanced notice
will be sufficient to deliver meaningful transparency.
3. Ad Preferences Managers
The advertising industry has also created online tools that allow users to view
and modify marketing inferences made about them within ad preferences managers. For example, an ad preferences tool may show the inferences made about
the users demographic information (such as age, income range, education, or geographic location), shopping interests (such as sports, technology, or politics), or even
significant life events (such as getting married soon or having a baby) based on
the users browsing activity. In many cases, these tools also allow consumers to optout of certain consumer marketing sectors from which they do not wish to receive
targeted ads.
Like enhanced notice, ad preference managers improve transparency into the online ad serving ecosystem. But, these managers only present a high-level summary
of the information collected by the ad service. Given their vantage point, third party
ad services have the capability to make inferences or use the data for other, nonadvertising-related purposes, that are not shown in the ad preference managers.23
Im not implying that specific companies are engaged in this practice, just that collection, retention, and correlation of this behavioral data provides the capacity for
this these inferences to be made. More transparency is neededoutside the realm
of online targeted adsabout the information that is collected by third parties and
how they are used.
4. Cookie-based Choice Mechanisms
In addition to notice and transparency, many ad services provide users with the
ability to opt-out. Currently, most opt-outs work using special opt-out cookiesone
for each ad servicestored in the users Web browser. The cookie-based opt-outs
have been plagued by a number of problems, some of which have been addressed
in recent years and others which persist today.
Once consumers realize they are being tracked, they must then begin the process
of obtaining opt-out cookies from each tracking company. One self-regulatory tech19 McDonald, A. and Cranor, L. (2008) The Cost of Reading Privacy Policies. I/S: A Journal
of Law and Policy for the Information Society 2008 Privacy Year in Review issue. [Paper originally presented at TPRC 2008, Sept 2628, 2008, Arlington, VA.] and Privacy Leadership Initiative. Privacy Notices Research Final Results. Conducted by Harris Intereactive, (2001 Dec) from
http://www.ftc.gov/bcp/workshops/glb/supporting/harris%20results.pdf.
20 Turow, J., Mulligan, D., and Hoofnagle C. (2007 Oct), Consumers Fundamentally Misunderstand the Online Advertising Marketplace, from http://groups.ischool.berkeley.edu/samuel
sonclinic/files/annenberglsamuelsonladvertising.pdf.
21 Of the top 50 sites, all stated they collect IP address, 48 collect contact information such
as name and e-mail address, and 39 collect click stream information. Bank of America had over
2,300 affiliates. See Gomez et al. p 24 (previously cited) and KnowPrivacy, http://
knowprivacy.org/profiles/bankofamerica.
22 Evidon served over 11 billion impressions in their first full scale months. Among those who
click on the icon (on .004 percent of ads served), about 3 percent of users opt-out of one or more
provider. See Smith, S. (2011, March 11). MediaPost Publications Browsing Privacys Next Steps
03/11/2011 from http:// www.mediapost.com/publications/?fa=Articles.showArticle&artlaid.
23 Similar to sports and shopping habits, a users browsing habits could allow an observer to
make inferences about a users race, sex, sexual orientation, health status, financial health, and
political affiliation, even though these categories are typically excluded from online preference
managers.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00060
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
57
nology firm has identified 600 companies involved in collecting or using tracking
data about customers on their sample of 7 million domains.24 Another lists 323
tracking companies publicly.25 Given the value of this marketplace and the speed
with which new entrants emerge, I suspect the actual number of companies engaged
in tracking may be actually be even larger. Even still, identifying 600 hidden trackers and obtaining an opt-out is daunting task for even the most sophisticated privacy-conscious consumer.
Seeking to ease the process of obtaining opt-out cookies, industry self-regulatory
groups such as the Network Advertising Initiative (NAI) have created one-stop
websites where consumers can obtain opt-out cookies for multiple firms. However,
these opt-out sites do not comprehensively cover all online tracking since only a
fraction of approximate 600 companies discussed are covered.26 This problem exists
in the mobile space as well. Currently, nine of the 16 mobile ad companies do not
offer an opt-out,27 and data collected on mobile phones may be particularly sensitive, since it is often accompanied by hardware identifiers that users cannot
change or geographic location information.
Most importantly, even when opt-outs are available, many firms only allow the
user to opt-out of the receipt of targeted advertising, not the online tracking itself.
Advertisers continue to collect and retain data in order to build a profile on the user,
even in the presence of an opt-out cookie.
Finally, cookie-based opt-out mechanisms are inherently brittle. Users are frequently taught to delete their browser cookies on a periodic basis to better protect
their online privacy. But, when the user clears her browser cookies, she will also
inadvertently clear her opt-out cookies, which willcounter-intuitivelyopt the user
back in to tracking.
C. Do Not Track Proposals
Last July, this Committee held a hearing on the topic of online privacy during
which the idea of Do Not Track was discussed. Ever since, there has been a significant amount of public discussion and debate regarding the possibility of a Do
Not Track mechanism. While the nameDo Not Tracksounds much like the highly successful Do Not Call list,28 the only substantive similarity is that they both give
consumers a single point of control to express their privacy preferences. While consumers can register their phone number in a FTC registry for Do Not Call, the single point of control for Do Not Track is likely to be a preference setting in the consumers Web browser or mobile platform.
Two primary technical approaches to Do Not Track have been proposed and implemented by major Web browser vendors. The first method is called the header approach, and the second is called the blocking approach. Two browser vendors have
already taken steps to include these mechanisms in upcoming releases of their products.29
1. The Header Approach
In the header approach, the consumer can toggle a Do Not Track setting in his
Web browser privacy preferences. When this setting is enabled, the browser transmits a special signal to each remote server that the consumer has expressed his
preference to not be tracked.30 The idea is to give users the ability to send a clear,
persistent and technology-neutral signal to websites regarding their tracking pref24 Steel, E. (2011, March 4). Council of Better Business Bureaus to Enforce Online Tracking
Principles Digits. WSJ BlogsWSJ from http://blogs.wsj.com/digits/2011/03/04/council-toenforce-online-tracking-principles/.
25 PrivacyChoice Tracker Index (Mar 14 2011) from http://www.privacychoice.org/companies/
all.
26 At the time of this writing, the NAI opt-out (http://www.networkadvertising.org/managing/optout.asp) currently allows consumers to opt-out of behavioral advertising by 68 member
companies. AboutAds opt-out applies to 61 companies (http://www.aboutads.info/choices/) and
even the most comprehensive list of trackers, offered by the independent group PrivacyChoice
only allows opt-out of 160 (http:// www.privacychoice.org/privacymark).
27 Brock, J. (2011, March 16). Mobile Tracking Privacy: Three thoughts. PrivacyChoice Blog.
from http://blog.privacychoice.org/?p=2882.
28 The Do Not Call list is an FTC enforced initiative based on legislation that creates a centralized registry of numbers that telemarketers may not call, under monetary penalty.
29 Mozillas Firefox 4.0 and Microsofts Internet Explorer 9 (MSIE9) have announced support
for the header mechanism. MSIE9 also supports the blocking method as well via their Tracker
Protection Lists product.
30 Current proposals involve sending a Do Not Track signal using a browser header within
the HTTP protocol.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00061
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
58
erence. Of course, in order this mechanism to be effective, it will depend upon a
clear set of rules defining what websites should do when they receive this signal.
Under this approach, the onus is on the server to agree to respect the consumers
preference. It is possible that the server could ignore the users request and continue
to engage in tracking anyway, even once best practices are established. Thus, consumers will need a method to verify that servers are complying with the header,
so they can keep firms honest about their commitment to respect user tracking preferences. Publisher sites and U.S. brands that advertise could choose to favor ad
services that respect the header preference.
2. The Blocking Approach
In the blocking approach, the consumer maintains (perhaps with the help of a
trusted third party) a list of servers that are known to engage, or are suspected of
engaging, in unwanted tracking behavior. Once a user has enabled this feature, his
Web browser will automatically block all connections to the servers on the list which
could also result in the blocking the display of advertisement.
As opposed to the header approach, the responsibility to prevent tracking is solely
on the consumer, that is, to obtain an up-to-date list of suspected tracking servers
and to block them. Servers are under no express obligation to abstain from tracking,
so if one is not blocked by a consumers browser, it is free to continue tracking as
usual.
One concern with this approach is that it is sometimes difficult for consumersat-large to determine whether a domain is engaging in tracking behavior and
whether to add that domain to the block list. Additionally, there are many technical
mechanisms that exist today that could be used to circumvent such blocking measures.31
3. Other Considerations
For any consumer choice mechanism to work, we need to clearing define what
tracking means and what obligations are placed on tracking companies when consumers elect to opt-out of tracking. Consumer groups and privacy researchers have
published proposals that attempt to define tracking, 32 but the online advertising
industry has not yet committed to respect the header nor follow any of the proposed
definitions. For example, some in the industry have suggested that, like the current
opt-out system, third parties be allowed permitted to continue to collect information.
Others have proposed that third party services should refrain from collecting and
retaining any information about consumers if they elect to not be tracked. This latter approach, while more privacy-preserving, may impact advertisers abilities to deliver even non-targeted advertisements and includes numerous exceptions to tracking which may defeat the spirit of a privacy mechanism.
A potential way forward may be to agree upon a definition of tracking that balances these conflicting priorities. One of the key components that enables tracking
today is the use of unique identifiers. As such, it may be wise to consider a definition of tracking that focuses on these identifiers, in which third party services make
a good faith effort to strip any unique identifiers associated with the user, browser
or client device making the Web request once the request has been processed and
the service delivered. By focusing on the identifiers, these companies would then be
free to retain the remaining data associated with the users request, providing that
it cannot be re-identified (following current best practices in the space). This approach will likely be good for both business and consumers, since it allows businesses to observe how their websites are being used and secure their servers, while
preventing the creation of individual profiles.
Finally, it is important to consider whether creating more effective choice mechanisms for consumers may have perverse effects and ultimately drive websites to
predicate access to content based on whether or not a consumer has consented to
tracking. Websites could require that consumers allow tracking by third parties the
website is affiliated with in order to gain access to its content. In our original example, WebMD could require that their affiliates, such as DoubleClick, be allowed to
track consumers in order to gain access to useful health information on the website.
This trend could potentially favor large first parties over smaller, independent sites
or allow companies to engage in even more invasive tracking upon receiving affirma31 In particular, domains can spoof the first party transactions that are whitelisted in browsers, or effectively act as first parties. This means that they are bypassing any third party-specific controls used in the browser. See Krishnamurthy et. al., (previously cited).
32 What Does Do Not Track Mean? A Scoping Proposal by the Center for Democracy &
Technology (2011, Jan 31) from http://cdt.org/files/pdfs/CDT-DNT-Report.pdf.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00062
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
59
tive consent. This is not a reason to abandon efforts to improve consumer choice,
but certainly a reason for Congress to consider the issue carefully.
D. Conclusion
My research has shown that online tracking is pervasive. It is likely to be much
more extensive than users might reasonably expect as they casually browse the
Web. Many of these third party tracking activities are carefully tucked away from
the view of the average user, and even in cases where the user realizes he is being
tracked, the privacy tools he has available are often ineffective at stopping the most
advanced forms of tracking.
Consumers need more transparency into who is tracking them online, what data
is being collected, and how this data is being used, shared or sold. Todays technical
defenses to online tracking are not able to stop the leading tracking technologies,
and consumers often do not have meaningful ways to control them. To be effective,
privacy protections for consumers online will likely require both a technical and policy component, working in tandem, and I believe these discussions here today are
a great step in making that union a reality.
Internet-related debate involves issues that are deeply technical in nature and I
am grateful that this Congressional committee has allowed technologists to participate. Thank you for inviting me to testify here today, and I look forward to helping
the committee understand the technical issues that make online tracking such an
interesting, yet complex, issue. I will be happy to answer any further questions.
Senator KERRY [presiding]. Thanks. Whos next?

Ms. Lawler?
STATEMENT OF BARBARA LAWLER,
CHIEF PRIVACY OFFICER, INTUIT INC.
Ms. LAWLER. Good morning. And thank you to the members of

the Committee for the opportunity to comment on the state of online privacy. My name is Barbara Lawler and Im the Chief Privacy
Officer at Intuit. I ask that my full statement be put into the
record due to time constraints.
Senator KERRY. Without objection it will be.
Ms. LAWLER. Intuits mission is to improve peoples financial
lives so profoundly they cannot imagine going back to the old way
of doing things. It is through this mission that we approach the
current privacy debate. Intuit is a unique corporation adhering to
various regulatory data privacy regimes in the U.S. including financial and health care privacy and the privacy of tax return information.
Additionally, we touch over 50 million people through our products. These people can trust us with their most sensitive data, their
Federal and state income tax return information, their individual
purchase transactions, bill payments and health information, their
business accounts including employee payroll, accounts receivable,
vendor lists, inventory and other business data. As more technology
solutions move to the cloud, customers place more trust in us as
we handle their sensitive data.
At Intuit, we developed data stewardship principles that express
how we think about how we use data, and offer guardrails to guide
our judgment. The central concept of data stewardship is simple.
Its our customers data, not ours. We are and will be held accountable for the information entrusted to us.
As you think about privacy legislation we encourage you to consider four things.
One, a principles-based approach.
Two, a focus on customers.
Three, data-driven innovation.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00063
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
60
And four, global uniformity.
First, we see the value in comprehensive, principles-based privacy legislation. Because we adhere to various privacy regimes,
this idea could work in tandem with self-regulatory approaches,
codes of conduct and best practices. A principles-based approach is
not prescriptive but enables flexibility to offer data driven solutions
within existing sector specific privacy laws. A principles-based approach could fill the gaps that exist between different sector approaches while at the same time blending with them.
Its also more likely to be received and effectively adapted by all
businesses of all sizes. It is more likely to be understood by the
public it seeks to protect. And a principles-based approach is more
likely to achieve consensus over time in the international context
which will be essential to global competitiveness in the emerging
digital economy.
Such an approach could set forth a minimum set of requirements
for business and provide a fundamental core level of consistency for
businesses and consumers. Codes of conduct based on context, industry sector, technology platform and other data use drivers
would build on top of a privacy baseline. Codes of conduct can serve
as the framework and support for co-regulatory safe harbor programs.
Second, any relevant data regime must be focused on the customer. At Intuit, customers are the heart of everything we do.
What we learn through extensive customer research is that its not
about what we think is best for business or what we think should
be done. Its about keeping whats important to the customer at the
heart of the principles.
Third, responsible data use can foster innovation. Consumers expectations have changed as people are increasingly conducting
their lives online. The volume and complexity of data in this new
connected world presents boundless opportunities to unlock a tremendous amount of data to create better experiences and products
for customers. Intuits approach to data-driven innovation is to responsibly use data entrusted to us by our customers to improve
their financial lives and the products and services we provide them.
Last but not least, legislation must take into account the need
for uniformity among various privacy regimes. In developing privacy principles there needs to be a uniform approach. While so
many laws and regulations are based on essentially the same principles, multi-state and multinational companies are challenged by
the differences among them.
The essence of data stewardship cannot rely on just one element
of our principles. It must be comprised of all of them combined:
uniform principles-based legislation, customer driven innovation
coupled with responsible, innovative and compelling data uses.
Thank you again for giving Intuit the opportunity to express its
thoughts on this important subject. We look forward to working
with you as you evaluate privacy legislation and to answering any
questions you may have.
[The prepared statement of Ms. Lawler follows:]
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00064
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
61
PREPARED STATEMENT
OF
BARBARA LAWLER, CHIEF PRIVACY OFFICER, INTUIT INC.
Good morning and thank you Chairman Rockefeller, Ranking Member Hutchison,
and members of the Committee for providing Intuit the opportunity to share our
point of view on the best way to protect consumer privacy in the technology-driven,
Internet era. We applaud the Committee for its attention to this important issue.
Today, Im here to talk to you about how Intuit views online consumer privacy.
Intuit is in a unique position to comment on the current privacy debate. Not only
do we have a unique perspective given the nature of our comprehensive business
portfolio and compliance with privacy regimes, but fifty million people trust us with
their most sensitive data. I will be talking today about the creation of Intuits Data
Stewardship Principles, the process of how we developed these principles, and what
we learned from this process, as well as the principles themselves.
As you think about comprehensive privacy legislation, we encourage you to focus
on four things:
1. principles-based privacy
2. customers
3. data driven innovation
4. global uniformity
About Intuit
Intuit was founded in Silicon Valley nearly thirty years ago. Our mission is to improve peoples financial lives so profoundly, they cannot imagine going back to the
old way of doing things.
We started small with Quicken personal finance software, simplifying the common
household dilemma of balancing the family checkbook. Today, we are one of the Nations leading providers of tax, financial management and online banking solutions
for consumers and small businesses, and the accountants, financial institutions and
healthcare providers that serve them. We employ nearly 8,000 people, our revenues
top $3.5 billion and were recognized by Fortune Magazine as one of Americas mostadmired software companies and one of the countrys best places to work.
We have always believed that with our success comes the responsibility to give
back. Part of delivering on our mission is serving as an advocate and resource for
economic empowerment among lower income individuals and entrepreneurs. We
have a track record of more than a decade of philanthropy that enables eligible
lower income, disadvantaged and underserved individuals and small businesses to
benefit from our tools and resources for free.
Through it all we remain committed to creating new and easier ways for consumers and businesses to tackle lifes financial chores with the help of technology.
We help our customers make and save money, comply with laws and regulations,
and give them more time to live their lives and grow their businesses.
Our flagship products and services, including QuickBooks, Quicken, Mint.com and
TurboTax, simplify small business management, payment and payroll processing,
personal finance, and tax preparation and filing. We serve half of the accounting
firms in the country, helping them be more productive with tax preparation software. And we help community banks and credit unions grow by providing on-demand solutions and services that make it easier for consumers and businesses to
manage their money.
The innovation and customer driven focus that inspired these breakthroughs
leads us to uncover other unmet needs and large problems to solve. For example,
we are working to simplify the way millions of Americans manage their health and
medical expenses. Today, doctors offices are paper-based, inefficient and need a way
to reduce costs and delight their patients who are increasingly demanding online solutions. Our Intuit Health Patient Portal offering is a secure, online way for doctors
and their patients to communicate and complete key tasks. Patients can request appointments and prescription refills, pay bills, complete forms, receive lab results,
and exchange messages with their doctor. As a result, doctors are able to reduce
costs, delight patients, and qualify for Meaningful Use stimulus funding.
With all of these offerings, we help improve the lives of fifty million people, worldwide.
Were able to do this because our customers entrust us with their most sensitive
datafifty million people trust us with their Federal and state income tax return
information; their individual purchase transactions, bill payments, and health information; and their business accounts, including employee payroll, accounts receivable, vendor lists, inventory and other business data.
We are widely recognized and respected for our strong privacy and security practices. Maintaining our customers trust is critical to maintaining our business and
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00065
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
62
competitive advantage. We do not view customer privacy and security as an exercise
in compliance but as part of our value proposition.
Intuit products span a range of sector-specific regulatory data privacy regimes in
the US, including Gramm Leach Bliley Act, Fair Credit Reporting Act/Fair and Accurate Credit Transactions Act, IRC 7216the privacy of individuals personal tax
information, Health Insurance Portability and Accountability Act; and self-regulatory regimes including PCI Data Security Standards, the U.S.-E.U. Safe Harbor
Program and the TRUSTe Privacy Seal Program.
Given the nature of our comprehensive business, providing solutions for a range
of tax, accounting, personal finance and health care needs, Intuit is in a unique position to comment and shape the online privacy debate.
Intuits Data Stewardship Philosophy
As more solutions move to the cloud, customers place trust in us as we handle
their most sensitive data. Data Stewardship expresses how we think about the use
of data, and offers guardrails to guide our judgment. Just as we talk with our customers about product development, we also talk about their expectations around privacy. Theyve told us explicitly that they expect us to be stewards of their data,
using it responsibly and with integrity, for their benefit, while keeping it private
and secure.
The central concept of Data Stewardship is that it is the customers data, not
ours. Because we hold their most sensitive data, customers place a deep trust in
us. Our customers have told us this directly through our extensive, consumer research. They care deeply how their data is used, they want clear and open explanations and to have contextual, relevant choices about those uses. They expect us
to be accountable to keep our promises. Ethical data stewardship increases customers confidence and trust.
To ensure that our nearly 8,000 employees are clear about how we manage and
respect information entrusted to us, we have created a set of company-wide data
stewardship principles.1 These principles, derived directly from Intuits core operating valuesespecially Integrity without Compromiseare intended to guide our
mindset and behavior in all that we do. They reflect and reinforce that were an organization that is accountable for its actions.
Intuits Data Stewardship Principles
When we apply our Data Stewardship Principles to leveraging data, they enable
us to support Intuits growth strategies while meeting and exceeding our customers
expectations about how we use their data to benefit them and run our business to
provide the products and services that serve them.
We are and will be accountable for the information entrusted to us. By design,
our Data Stewardship Principles align closely with globally recognized fair information practices, including those for online privacy developed in the late 1990s and to
their originating concepts, the Organization for Economic Cooperation and Development (OECD) privacy principles. As we have learned, we believe these Principles
carry the most weight and meaning to actual consumers, based on an extensive research process we will describe below.
As you think about comprehensive privacy legislation, we encourage you to focus
on four things:
1. principles-based privacy
2. customers
3. data driven innovation
4. global uniformity
First, we see the value in comprehensive principles-based privacy legislation. We
believe there is value in the idea of baseline, principle-based privacy legislation that
could work in tandem with self-regulatory approaches and codes of conduct. The Intuit Data Stewardship Principles represent our own internal code of conduct for
data. A principles-based approach is not prescriptive but enables flexibility to offer
data driven solutions within existing sector-specific privacy laws and, most importantly, is technology-neutral.
A principle-based approach could fill the gaps and crevices that exist between the
differing sector approaches, while at the same time blending with them. It is also
more likely to be received and effectively adapted by businesses of all sizes, including small businesses not actively engaged in the privacy landscape. It is more likely
to be understood by the public it seeks to protect. And a principle-based approach
1 See
VerDate Nov 24 2008
06:38 Mar 19, 2012
Appendix A for a list of our Data Stewardship Principles.
Jkt 073308
PO 00000
Frm 00066
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
63
is more likely to achieve consensus over time in the international context, which will
be essential to global competitiveness in the emerging digital economy. Such an approach could set forth a minimum set of requirements for business, and provide a
fundamental, core level of consistency for businesses and consumers. Codes of conduct, based on context, industry/sector, technology platform or other data use drivers would build on top of a privacy baseline. Codes of conduct can serve as the
framework and support for co-regulatory safe harbor programs.
Second, any relevant data regime must be focused on the customer. As we enter
this important discussion, it is necessary to further emphasize the importance of
both respect for the consumer participation and control of information and the value
and benefit of continued innovation, in particular where the future of economic
growth is goingdata driven innovation. The key to our success and to ensuring
balance among these interests is earning the customers trust.
At Intuit, customers are at the heart of everything we do. We were founded on
the idea of customer driven innovation, a mindset and methodology to uncover important, unsolved problems. Many companies talk about customer focus, customer
innovation, but the level of commitment to this, and the rigor we put behind it, differentiates us.
For nearly thirty years, our passion for inventing products to solve important
problems and perfecting those products to delight our customers, through direct customer feedback and observation, has made Intuit the first choice in financial software for consumers and small businesses. We have an instituted practice within our
Corporation called follow me homes in which representatives from the Corporation
spend a few hours with our customers to not only receive feedback on our products
but to also identify key customer needs to amend our product. The Corporation commits to over 10,000 employee hours of follow me homes per yearwith our CEO
committing to approximately sixty hours per year himself. We supplement followme-homes with direct customer research, and by bringing customers into special
labs or focus groups to evaluate and give feedback on the customer experience and
usability of our products and services. Our respect for the customer is reflected in
the policies and practices that have driven our business. Trusted data stewardship
is central to that commitment and to our success.
The development of our Data Stewardship Principles is kept customers as our
central focus: as our established practices suggest, we took our customers along with
us on the journey to define our principles about the use of data in a way that reflects the needs, concerns and values of those customers. We took draft Data Stewardship Principles directly to our customers and asked them for their feedback, on
both the concepts and words, on intent and practice, with real-world customer experience and expectations. Over the period of the last year alone, we conducted two
rounds of quantitative, statistically valid surveys that cut across multiple customer
bases and product lines to get feedback and learn if Data Stewardship and Privacy
mattered to them, which principles and how much. We conducted four rounds of
qualitative customer focus group sessions to dive deeper into the subtleties of transparency, choice, data use cases and security.
Staying true to customer driven innovation, we iterated and refined the Data
Stewardship Principles over the course of the customer research process. After several rounds of input and iteration, the Principles have been extremely well received.
Let me share some of the insights from the more than 100 consumers and small
businesses we talked to in focus groups:
Customers may not read privacy policies but care deeply about how their data
is used.
Consumers are smarter than some give them credit forthey are aware of a
wide range of data uses, to benefit them directly and for necessary internal
business operations.
While a majority of our customers already have a positive impression of Intuit,
the Data Stewardship Principles further build trust.
Across all research studies, the principle around not selling or sharing personal
data is the most important.
The more transparent (meaning open, simple and clear) the company is, the
more customer trust increases and the customers need for detailed and frequent or repetitive choice mechanisms appears to decrease.
Training employees to uphold these principles is also important to customers
and adds an incremental level of trust that we will deliver against our promises.
Here are a few illustrative verbatim statements from our customers that show
what Intuits Data Stewardship Principles mean to them:
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00067
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
64
This is what makes customers trust them. I like that privacy is paramount &
do believe theyre committed to this.Mike, consumer in San Diego
Customer focused, protecting my data and interests, holding themselves accountable. I like that these principles are very specific. There is no doubt, or
any way to not understand exactly how Intuit intends to treat my information.
I like that.Jackie, small business owner in Oakland
Because of these principles, I will continue to use their products.Darryl, consumer in Denver
A little safer in an unsafe world.Erica, consumer in Atlanta
When customers participate directly in the shaping of Data Stewardship Principles, it brings to life the Fair Information Practice concepts of Transparency and
Individual Participation in profound ways.
Specifically, we have learned through this process what is substantive and meaningful to consumers.
Third, responsible data use can foster innovation. The world is quickly shifting
from a paper-based, human-produced, brick-and-mortar-bound market to one where
people understand, appreciate and embrace the benefits of truly connected software,
platforms and services.
Consumers expectations have changed as people are increasingly conducting their
lives online. Cloud computing makes it easier to access and use online sites anytime and anywhere an individual chooses. Consumers expect to interact online in
an always on environment and to have technology make life easier. They demand
even greater simplicity, such as not having to re-enter their data when they use
more than one of our products or services. Increasingly, new products and services
as well as enhancements to existing ones will employ more and more sophisticated,
rich, real-time interactive use of data, directed and prompted by customer actions
and expectations of product functionality.
The volume and complexity of data in this new world present boundless opportunities to unlock a tremendous amount of data to create better experiences and products for customers, all while keeping our customers data safe.
Intuits approach to data driven innovation is to responsibly use data entrusted
to us by our customers to improve their financial lives and the products and services
we provide them. This data includes information about our customerswho they
are, where they are and how they use our products. By compiling and interpreting
this data, we can create innovative, easy-to-use products that delight customers by
helping them make and save money. Were also able to provide customers with information that gives them greater insight into their financial lives and helps them
to achieve their personal and business goals.
To retain consumer trust in that context, Intuits vision is that privacy and security are central to the concept of customer delight, and therefore serve as a competitive advantage.
For innovation to thrive, we must unlock the power of data under a Data Stewardship regime. The essence of Data Stewardship cannot rely on just one element
of our principles, it must be comprised of all of them combined: customer driven innovation coupled with responsible, innovative, and compelling data uses. Moreover,
as global competitiveness evolves beyond the bricks-and-mortar economies of the
past, and international trade takes on an electronic character in the economy of the
future, sound business practices and wise public policy are critical components of
innovation, invention, and full, fair and open competition.
Last but not least, legislation must take into account the need for uniformity
among various privacy regimes. While so many laws and regulations are based on
essentially the same principles, multi-state and multi-national companies are challenged by the differences among them. Some regulations in breach notification, for
example, require notification of some state agencies; others do not. The notification
triggers and thresholds are different. And the definitions of important terms vary
across the landscape.
In a domestic context, we support a uniform Federal breach notification law.
Aligning practices across states would provide benefits for consumers who purchase
from merchants in other states. It would also lessen the complexity for merchants,
a consistent goal in improving the economy.
In an international context, baseline principles that align with the Asia-Pacific
Economic Coordination (APEC) Privacy Principles and the E.U. Directive would improve multi-national commerce, allowing the freer-flow of transactions and data
across borders, in a consistent trusted manner. This, in turn, would improve the
U.S. economy through vibrant trade. Intuit agrees that the U.S. Government should
continue to work toward increased cooperation among privacy enforcement authorities around the world and develop a framework for mutual recognition of other
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00068
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
65
countries frameworks. Intuit agrees that the U.S. should also continue to support
the APEC Privacy Principles Pathfinder Project, because it is the best framework
to achieve data privacy interoperability in the 21st century.
Conclusion
Once again, Mr. Chairman, Senator Hutchison, members of the Committee, thank
you again for giving Intuit the opportunity to express its thoughts on this important
subject. Maintaining customers trust is the foundation to building privacy principles. It is with this trust that we will learn from the customers about what they
really want and what is important to them when it comes to their data. In the 21st
century, customers demand more in a connected world. We must work toward the
shared goal of protecting consumers while maintaining data driven innovation to
improve our customers financial lives, in a trusted, real, and fundamental way.
We look forward to working with you and the Committee toward this goal.
APPENDIX A
Intuit Data Stewardship Principles
What we stand for:
Our customers privacy (and their customers and employees) is paramount to
us.
Our customers place a deep trust in Intuit because we hold their most sensitive
data . . . therefore, we are a trusted steward of their data.
Our company values start with Integrity without Compromise, and our privacy
principles require that we all be accountable.
How we run our business (what we hold ourselves accountable to):
We will not:
Without explicit permission, sell, publish or share data entrusted to us by a customer that identifies the customer or any person.
We will:
Use customer data to help our customers improve their financial lives. We help
them make or save money, be more productive, and comply with laws and regulations.
Use customer data to operate our business, including helping our customers improve their user experience and understand the products and services that are
available to help them.
Give customers choices about our use of data that identifies them.
Give open and clear explanations about how we use data.
Publish or share combined, unidentifiable customer data, but only in a way that
would not allow the customer or any person to be identified.
Train our employees about how to keep data safe and secure, and educate our
customers about how to keep their and their customers data safe and secure.
Senator KERRY. Thank you, Ms. Lawler.

Mr. Calabrese?
STATEMENT OF CHRISTOPHER R. CALABRESE,
LEGISLATIVE COUNSEL, AMERICAN CIVIL LIBERTIES UNION,
WASHINGTON LEGISLATIVE OFFICE
Mr. CALABRESE. Thank you, Chairman Kerry, members of the

Committee. Thank you for the opportunity to testify on behalf of
the American Civil Liberties Union. We support comprehensive
protections for Americans personal information including a Do Not
Track mechanism.
One of the new models of Internet advertising has been to target
ads at the specific individual in order to make those ads more relevant. The result has been a system where Americans are routinely
tracked as they surf the Internet. Americans assume there is no
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00069
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
66
central record of what they do and where they go online. However
in many instances that is no longer the case.
Behavioral marketers, social networks and other online companies are creating profiles of unprecedented depth and breadth that
reveal the personal aspects of our lives including our religious and
political beliefs, medical information, purchases and reading habits.
These profiles can legally be shared with anyone including offline
companies, employers and the government. This data collection is
neither benign nor anonymous.
Individual profiles identify our mental health, sexual orientation
or issues with weight. They may indicate particular vulnerabilities.
Ninety-two-year-old veteran, Richard Guthrie was bilked out of
more than $100,000 by criminals who identified him from marketing lists.
Cate Reid, a recent high school graduate has been identified by
advertisers as concerned about her weight. Every time I go on the
Internet, she says, she sees weight loss ads. Im self-conscious
about my weight. I try not to think about it. Then the ads start
me thinking about it.
Information that can be used for identity theft is online but beyond our control. One reporter asked a company to search out information on her armed only with her name and e-mail address.
She said. Within 30 minutes the company had my social security
number. In 2 hours they knew where I lived, my body type, my
hometown, my health status.
Nor are individual web surfing habits anonymous. Many companies now provide a way to directly link your name and mailing address to your web surfing habits. Companies know who you are online. All of this information is available for sale with no controls.
Of particular concern, of course to the ACLU, is government access. Many civil liberties benefits of the Internet, ability to read
provocative materials, associate with non-mainstream groups, voice
dissenting opinions are based on the assumptions of practical anonymity and freedom from government scrutiny. Because of this information collections these assumptions are rapidly eroding.
Law enforcement routinely purchases access to offline private
data bases full of detailed profiles on each of us with no legal process. They could legally do the same with online information. In fact
online and offline data bases of personal information are increasingly linked. But we have no right to access those same data bases
or control how theyre used.
Solutions exist. The technology may be new but the problems are
not. Congress and the states have passed many laws to protect
Americans reading habits and viewing habits in the offline world.
More than 30 years ago the U.S. Department of Health, Education
and Welfare crafted basic privacy principles. Called the Fair Information Practice Principles they have become the basis for comprehensive privacy laws in many industrialized nations as well as
sector specific laws in the United States.
The Department of Commerce recently called for adoption of
these principles for the Internet. We endorse the use of fair information practices as well. In addition the private sector is developing innovative solutions like a Do Not Track mechanism.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00070
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
67
These mechanisms need to be backed by the force of law. We reject any approach that relies solely on self regulation by companies.
Self regulation by itself is a failed approach. It has allowed the current data collection practices to flourish.
Consumers want change. Surveys show that 67 percent rejected
the idea that advertisers should be able to match ads based on specific websites consumers visit. And 61 percent believe these practices were not justified even if they kept costs down and allowed
consumers to visit websites for free.
Ultimately if this information collection is allowed to continue
unchecked then capitalism could build what the government never
could, a complete surveillance state online. Without government
intervention we may soon find the Internet has been transformed
from a library and a playground to a fish bowl. And that we have
unwittingly seeded core values of privacy and autonomy.
Thank you.
[The prepared statement of Mr. Calabrese follows:]
PREPARED STATEMENT OF CHRISTOPHER R. CALABRESE, LEGISLATIVE COUNSEL,
AMERICAN CIVIL LIBERTIES UNION, WASHINGTON LEGISLATIVE OFFICE
Good morning Chairman Rockefeller, Ranking Member Hutchison, and members
of the Committee. Thank you for the opportunity to testify on behalf of the American Civil Liberties Union (ACLU) its more than half a million members, countless
additional activists and supporters, and fifty-three affiliates nationwide, about the
importance of online privacy. We support comprehensive protections for Americans
personal information and specifically support a Do Not Track option for online consumers. These protections are crucial for preventing harm to consumers and to safeguard Americans First and Fourth Amendment rights online.
I. Introduction
Rapid technological advances and the lack of an updated privacy law have resulted in a system where Americans are routinely tracked as they surf the Internet.
The result of this trackingoften performed by online marketersis the collection
and sharing of Americans personal information with a variety of entities including
offline companies, employers and the government. As greater portions of our lives
have moved online, unregulated data collection has become a growing threat to our
civil liberties.
As one recent report explains, the Internet has been an engine of radical, positive
changes in the way we communicate, learn, and transact commerce.1 The Internet
allows us to connect to one another and share information in ways we never before
could have imagined. Many of the civil liberties benefits of the Internetthe ability
to access provocative materials more readily, to associate with non-mainstream
groups more easily, and to voice opinions more quickly and at lower costare enhanced by the assumption of practical anonymity. Similarly, consumers are largely
unaware of the breadth of information collection and the various uses to which it
is put.
In short, Americans assume that there is no central record of what they do and
where they go online. However in many instances that is no longer the case. Behavioral marketers are creating profiles of unprecedented breadth and depth that reveal
personal aspects of peoples lives including their religious or political beliefs, medical
information, and purchase and reading habits. Even as behavioral targeting continues to grow, its practitioners have already demonstrated a disturbing ability to
track and monitor an individuals actions online.
If this collection of data is allowed to continue unchecked, then capitalism will
build what the government never coulda complete surveillance state online. Without government intervention, we may soon find the Internet has been transformed
from a library and playground to a fishbowl, and that we have unwittingly ceded
core values of privacy and autonomy.
1 Federal Trade Commission (Bureau of Consumer Protection), A Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for
Businesses and Policymakers, December 1, 2010.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00071
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
68
II. Americans have embraced technology, but they still expect privacy
Technology has moved rapidly and Americans have adopted these changes into
their lives:
Over 50 percent of American adults use the Internet on a typical day.2
62 percent of online adults watch videos on video-sharing sites,3 including 89
percent of those aged 1829.4
Over 70 percent of online teens and young adults5 and 35 percent of online
adults have a profile on a social networking site.6
83 percent of Americans own a cell phone and 35 percent of cell phone owners
have accessed the Internet via their phone.7
Companies continue to innovate and create new ways for Americans to merge
technology with daily activities. Google has spent the last 5 years building a new
online book service and sales of digital books and devices have been climbing.8
Americans increasingly turn to online video sites to learn about everything from
current news to politics to health.9 Location-based services10 are also a burgeoning
market.11
However this rapid adoption of new technology has not eliminated Americans expectations of privacy. To the contrary, Americans still expect and desire that their
online activities will remain private, and express a desire for laws that will protect
that privacy:
69 percent of Internet users want the legal right to know everything that a
Website knows about them.12
92 percent want the right to require websites to delete information about
them.13
And consumers oppose online tracking:
67 percent rejected the idea that advertisers should be able to match ads based
on specific websites consumers visit; 14 and
2 Common daily activities include sending or receiving e-mail (40+ percent of all American
adults do so on a typical day), using a search engine (35+ percent), reading news (25+ percent),
using a social networking site (10+ percent), banking online (15+ percent), and watching a video
(10+ percent). Pew Internet & American Life Project, Daily Internet Activities, 20002009,
http://www.pewinternet.org/Trend-Data/Daily-Internet-Activities-20002009.aspx.
3 A video-sharing site or video hosting site is a website that allow users to upload videos
for other users to view (and, often, comment on or recommend to others). Wikipedia, Video
Hosting Service, http://en.wikipedia.org/wiki/Videolsharing (as of January 21, 2011).
YouTube is the most common video-sharing site today.
4 Pew Internet & American Life Project, Your Other Tube: Audience for Video-Sharing Sites
Soars, July 29, 2009, http://pewresearch.org/pubs/1294/online-video-sharing-sites-use.
5 Pew Internet & American Life Project, Social Media & Young Adults, Feb. 3, 2010, http://
www.pewinternet.org/Reports/2010/Social-Media-and-Young-Adults.aspx.
6 Social networking sites allow users to construct a semi-public profile, connect with other
users of the service, and navigate these connections to view and interact with the profiles of
other users. Danah M. Boyd & Nicole B. Ellison, Social Networking Sites: Definition, History,
and Scholarship, 13 J. of Comp.-Mediated Comm. 1 (2007); Pew Internet & American Life
Project, Adults & Social Network Sites, Jan. 14, 2009, http://www.pewinternet.org/Reports/
2009/Adults-and-Social-Network-Websites.aspx.
7 Pew Internet & American Life Project, Internet, Broadband, and Cell Phone Statistics, Jan.
5, 2010, http://www.pewinternet.org/Reports/2010/Internet-broadband-and-cell-phone-statistics.aspx.
8 See generally ACLU of Northern California, Digital Books: A New Chapter for Reader Privacy, Mar. 2010, available at http://www.dotrights.org/digital-books-new-chapter-reader-privacy.
9 More Americans are watching online video each and every month than watch the Super
Bowl once a year.. Greg Jarboe, 125.5 Million Americans Watched 10.3 Billion YouTube Videos
in September, SearchEngineWatch.com, Oct. 31, 2009, http://blog.searchenginewatch.com/
091031110343.
10 Location-based services is an information service utilizing the users physical location
(which may be automatically generated or manually defined by the user) to provide services.
Wikipedia, Location-Based Service, http://en.wikipedia.org/wiki/Location-basedlservice (as of
January 21, 2011).
11 Recent location-based service Foursquare built a base of 500,000 users in its first year of
operation. Ben Parr, The Rise of Foursquare in Numbers [STATS], Mashable, Mar. 12, 2010,
http://mashable.com/2010/03/12/foursquare-stats/.
12 Joseph Turow, et al., Americans Reject Tailored Advertising 4 (2009), available at http://
papers.ssrn.com/sol3/papers.cfm?abstractlid=1478214.
13 Id.
14 Lymari Morale, U.S. Internet Users Ready to Limit Online Tracking for Ads, USA
TODAY, December 21, 2010.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00072
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
69
61 percent believed these practices were not justified even if they kept costs
down and allowed consumers to visit websites for free.15
In sum, while Americans make great use of the Internet, they are very concerned
about their privacy and specifically troubled by the practice of behavioral targeting.
III. The data collected by behavioral marketers forms a personal profile of
unprecedented breadth and depth
Behavioral targeting contravenes many Americans expectation of privacy and
how they should be treated online. Online advertising is one of the fastest growing
businesses on the Internet and it is based on collecting a staggering amount of information about peoples online activities. Advertising has always been prevalent online, but instead of targeting websitessuch as advertising shoes on a shoe store
siteadvertisers now use personal information to target individuals directly.
They do this using different surveillance tools. The simplest tools are cookies. A
cookie is a file that a website can put on a users computer when the user visits
it so that when the user returns, or visits another affiliated site, it remembers certain information about the user. Cookies were initially used to help websites remember user passwords or contents in shopping bags, but as online marketing grew
more sophisticated, cookies did too. Advertisers and aggregators modified cookies to
track peoples web page visits, searches, online purchases, videos watched, posts on
social networking, and so on.
Another popular and even more invasive tool for tracking is the flash cookie.
Flash cookies are often used by data aggregators to re-install a regular cookie that
a user had detected and deleted. The newest and most aggressive form of tracking
is the beacon. Beacons, also known as web bugs, are often used by sites that hire
third party services to monitor user actions. These devices can track a users movements extremely closely; to the point that they can monitor keystrokes on a page
or movements by a users mouse. The result of these practices is the collection and
sale of a wealth of consumer data without any legal limits or protections for individuals.
As targeted ads become increasingly profitable, behavioral marketers are growing
more ambitious and seeking to form an even more complete picture of unsuspecting
citizens. The Wall Street Journal recently conducted a comprehensive study on the
effects of online marketing on individual privacy and the results were alarming. The
study found that the Nations 50 top websites installed an average of 64 pieces of
tracking technology on users computers, usually with no warning. A dozen sites installed over a hundred. For example, the study found that Microsofts popular
website, MSN.com, attached a tracking device that identified and stored users detailed personal information. According to the tracking company that created the file,
it could predict a users age, zip code, and gender, as well as an estimate of a users
income, marital status, family status and home ownership status.16 These new technologies allow marketers to combine a vast amount of information gleaned from different websites over time in order to paint an extremely detailed profile of potential
consumers. Any particular website may have little information and this may not
alarm some, but when a large number of these data points are aggregated, an extremely detailed picture results.
In addition, the Wall Street Journal found that tracking technology has become
so advanced and covert that the website owner is often not even aware of its presence. Microsoft, one of the largest developers of computer software in the world, said
it did not know about the tracking devices on its site until informed by the Journal.17 If these technologies have become as surreptitious as to slip past sophisticated website owners, it is completely unreasonable to believe that the average user
would be able to avoid their spying.
IV. Identifying individuals and the merger of online and offline identity
Online and offline data companies are combining forces to get an even more detailed profile of consumers and further erode privacy. For example, Comscore, a
leading provider of website analytic tools, boasts that online behavioral data can
. . . be combined with attitudinal research or linked with offline databases in order
to diagnose cross-channel behavior and streamline the media planning process. 18
In another example, the data firm Aperture has made the connection between online and offline identities by collecting data from offline data companies like
15 Id.
16 Angin
Win, The Webs New Gold Mine: Your Secrets, Wall Street Journal, July 30, 2010.
17 Id.
18 Why Comscore?, http://comscore.com/AboutlcomScore/WhylcomScore (last visited January 21, 2011).
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00073
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
70
Experian or Nielsens Claritas and then combining it with a huge database of e-mail
addresses maintained by its parent company, Datran Media.19 According to media
reports, many major companies are working with Aperture.20 The line between
merging online and offline data isnt no-mans land anymore; its becoming more of
a common practice, said Mike Zaneis, Washington lobbyist for the Interactive Advertising Bureau. 21 A variety of services offer to merge names and postal addresses
with collected IP and e-mail addresses.22
To be clear: such a merger of data is only possible when consumers are specifically
identified. As described above, markets are using personal identifiers like e-mail addresses to connect online browsing habits to offline information from other databases. One venture capitalistic described it to the Wall Street Journal: Theyre trying to find better slices of data on individuals, says Nick Sturiale, a general partner
at Jafco Ventures, which has largely avoided the sector. Advertisers want to buy
individuals. They dont want to buy [Web] pages. 23 You can only buy individuals
when you know who they are.
V. Regulation of behavioral targeting does not threaten the Free Internet
The ACLU believes the Internet is the most advanced marketplace of ideas and
one of the greatest tools ever created for advancing Americans First Amendment
rights. We would never endorse any regulation that endangered the robustness and
variety of this medium. Laws protecting personal information and those that would
create a Do Not Track mechanism would not harm the Internet or end the provision of free products or services.
Behavioral targeting is different than contextual advertising, another type of online ad service which shows ads to users based on the content of the web page they
are currently viewing or the web search they have just performed. When this pairing of ads to users interests is based only on a match between the content of an
ad and a single page or search term, a website or advertising network requires no
personal information about a user beyond an IP address. The practice does not raise
significant privacy concerns.
Nor would commonsense regulations necessarily foreclose the use of consumer
data as part of advertising and services. For example, a consumer may want to
allow significant data collection by websites with whom they already have a relationship. Companies like Google and Amazon gather information that has demonstrable benefit to the consumerby providing book recommendations or easy-to-use
maps. Consumers may welcome targeted ads when they feel in control of their own
information or may consider it a fair tradeoff for other goods or services.
Content has been supported for years (and in many cases for decades and even
centuries) through advertising without the need for detailed targeting and tracking
of consumers. But studies have demonstrated that the vast majority of the revenue
from tracking consumers online goes not to content providers but rather to the behavioral targeters themselves. Industry sources say that 80 percent of the revenue
from targeting4 in 5 dollarswent to create and enhance the targeting system,
not to publishers.24 Major publishers like the New York Times have endorsed a Do
Not Track mechanismclearly they are not concerned that such a mechanism will
harm their ad revenue.25
VI. Access to extensive personal profiles threatens personal privacy and
the First and Fourth Amendment
It is no exaggeration to say that data profileswhich may combine records of a
persons entire online activity and extensive databases of real-world, personally
identifiable informationdraw a personal portrait unprecedented in scope and detail. Because the Internet has become intertwined with so many personal facets of
our lives, the same technology that has provided such tremendous advances also
creates the possibility of tremendous intrusion by companies and the government.
19 Michael Learmonth, Holy Grail of Targeting is Fuel for Privacy Battle, Advertising Age,
March 22, 2010.
20 Id.
21 Id.
22 See: http://biz.freshaddress.com/RealTimePostalAppend.aspx. For a long list of their clients
please see: http://biz.freshaddress.com/ClientsByName.aspx.
23 Scott Thrum, Online Trackers Rake in Funding, Wall Street Journal, February 25, 2011
at: http://online.wsj.com/article/SB10001424052748704657704576150191661959856.html#ixzz
1FYWLkEWm.
24 The Jordan Edmiston Group, M&A Overview and Outlook, Slide 13, can be found at: http://
www.jegi.com/files/docs/IABMIXX.pdf.
25 Protecting Online Privacy, New York Times, December 4, 2010.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00074
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
71
i. Non-governmental actors
The harms caused by excessive and invasive data collection are real and pressing.
They begin with straightforward invasions of privacy. Should anyone have the right
to know and sell to others the fact that you are overweight, or depressed, or gay? 26
These are all commonplace occurrences with marketers and social networking sites
routinely making and selling these determinations. They have significant consequences for consumers who have no say in the collection and use of their own information. As the Wall Street Journal explains:
Yahoos network knows many things about recent high-school graduate Cate
Reid. One is that she is a 13- to 18-year-old female interested in weight loss.
Ms. Reid was able to determine this when a reporter showed her a little-known
feature on Yahoos website, the Ad Interest Manager, that displays some of the
information Yahoo had collected about her.
Yahoos take on Ms. Reid, who was 17 years old at the time, hit the mark: She
was, in fact, worried that she may be 15 pounds too heavy for her 5-foot, 6-inch
frame. She says she often does online research about weight loss.
Every time I go on the Internet, she says, she sees weight-loss ads. Im selfconscious about my weight, says Ms. Reid, whose father asked that her hometown not be given. I try not to think about it. . . . Then [the ads] make me
start thinking about it. 27
This tracking is ubiquitous around the Internet with tracking technology on 80
percent of 1,000 popular sites, up from 40 percent of those sites in 2005.28
In the information age knowledge is power and personal information can be used
for many other purposes. A data-mining firm called Rapleaf has said it can make
determinations about creditworthiness and whether someone will be a good customer.29 A defense attorney attempted to access the social networking pages of two
teens in order to prove they were appropriately denied health care.30 One employer
demanded access to its employees private Facebook account as part of a background
check.31
When information escapes a consumers control, it gives power to others to make
decisions about them that have real consequences for their lives. In addition, the
lack of control and transparency surrounding consumer personal information harms
not just consumers but the Internet as a whole. Uncertainty over the use or misuse
of information by third parties retards the adoption of new technologies and makes
consumers more anxious about revealing personal information.
Personal information can also reveal weaknesses that unscrupulous actors can exploit. Ninety-two year old veteran Richard Guthrie was bilked out of more than
$100,000 by criminals who identified him from marketing lists.32 InfoUSA routinely
advertised lists of:
Elderly Opportunity Seekers, 3.3 million older people looking for ways to
make money, and Suffering Seniors, 4.7 million people with cancer or Alzheimers disease. Oldies but Goodies contained 500,000 gamblers over 55
years old, for 8.5 cents apiece. One list said: These people are gullible. They
want to believe that their luck can change. 33
26 See Testimony of Pam Dixon The Modern Permanent Record and Consumer Impacts from
the Offline and Online Collection of Consumer Information, Before the Subcommittee on Communications, Technology, and the Internet, and the Subcommittee on Commerce, Trade, and
Consumer Protection of the House Committee on Energy and Commerce November 19, 2009 at
http://www.worldprivacyforum.org/pdf/TestimonyofPamDixonfs.pdf; Brett Michael Dykes,
Latest Facebook privacy outrage: ad data outing gay users, The Upshot, October 22, 2010 at:
http://news.yahoo.com/s/ybloglupshot/20101022/bslybloglupshot/latest-facebook-privacyoutrage-ad-data-outing-gay-users.
27 Win article.
28 Id.
29 Lucas Conley, How Rapleaf Is Data-Mining Your Friend Lists to Predict Your Credit Risk,
FAST COMPANY November 16, 2009 at http://www.fastcompany.com/blog/lucas-conley/advertising-branding-and-marketing/company-we-keep.
30 Mark Stein, Facebook Page? Or Exhibit A in Court?, Portfolio.com, February 5, 2008
http://www.portfolio.com/views/blogs/daily-brief/2008/02/05/facebook-page-or-exhibit-a-incourt/.
31 Matt Liebowitz Boss Demands Employees Facebook Password, MSNBC.com, March 1,
2011 http://www.msnbc.msn.com/id/41743732/ns/technologylandlscience-security/.
32 Charles Duhigg, Bilking the Elderly, With a Corporate Assist, New York Times. May 20,
2007 http://www.nytimes.com/2007/05/20/business/20tele.html?lr=2.
33 Id.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00075
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
72
In other cases thieves purchased access to databases of Americans personal information and used that information to commit identity theft.34
Collection of personal information online turbo-charges this process. One reporter
asked a company to search out information about her online. She disclosed that,
armed only with her name and e-mail address, Within 30 minutes, the company
had my Social Security number; in 2 hours, they knew where I lived, my body type,
my hometown, and my health status. 35
ii. Governmental actors
As their contracts with the data aggregator industry demonstrate, government
and law enforcement agencies have also found these personal data profiles irresistible. In 2006 the Washington Post reported that the Federal Government and states
across the country have developed relationships with private companies that collect
personal information about millions of Americans, including unlisted cell phone
numbers, insurance claims, drivers license photographs, and credit reports through
private data aggregators including Accurint, Entersect and LexisNexis. In fact,
Entersect boasts that it is the silent partner to municipal, county, state, and Federal justice agencies who access our databases every day to locate subjects, develop
background information, secure information from a cellular or unlisted number, and
much more. 36
The Central Intelligence Agency (CIA), via its investment arm In-Q-Tel, has invested in a software company that specializes in monitoring blogs and social networks 37 and the Department of Defense, the CIA, and the Federal Bureau of Investigation (FBI) have all purchased use of private databases from Choicepoint, one of
the largest and most sophisticated aggregators of personal data.38 In the words of
the FBI, We have the legal authority to collect certain types of information because ChoicePoint is a commercial database, and we purchase a lot of different
commercial databases. . . . They have collated information that we legitimately
have the authority to obtain. 39
The government has demonstrated an increasing interest in online user data in
other ways as well. In 2006 the Department of Justice (DOJ) subpoenaed search
records from Google, Yahoo!, and other search providers in order to defend a lawsuit.40 In 2007, Verizon reported receiving 90,000 requests per year and in 2009,
Facebook told Newsweek it was getting 10 to 20 requests each day. In response to
increasing privacy concerns, Google started to publish the number of times law enforcement asked for its customers information and reported over 4,200 such requests in the first half of 2010 alone. In the words of Chris Hoofnagle, a senior fellow at the Berkeley Center for Law and Technology, These very large data bases
of transactional information become honey pots for law enforcement or for litigants. 41 Given the governments demonstrated drive to access both online data and
commercial data bases of personal information, it seems nearly certain that law enforcement and other government actors will purchase or otherwise access the type
of detailed profiles of online behavior compiled by behavioral marketers.
Our First Amendment rights to freedom of religion, speech, press, petition, and
assembly are based on the premise that open and unrestrained public debate empowers democracy by enriching the marketplace with new ideas and enabling political and social change through lawful means. The Fourth Amendment shields private conduct from unwarranted government scrutiny. Together the exercise of these
rights online has allowed the Internet marketplace of ideas to expand exponentially.
34 Federal Trade Commission, ChoicePoint Settles Data Security Breach Charges; to Pay $10
Million in Civil Penalties, $5 Million for Consumer Redress, January 26, 2006. http://
www.ftc.gov/opa/2006/01/choicepoint.shtm.
35 Jessica Bennett, What the Internet Knows about You, Newsweek, October 22, 2010.
http://www.newsweek.com/2010/10/22/forget-privacy-what-the-internet-knows-about-you.html.
36 OHarrow Jr Robert, Centers Tap into Personal Databases, Washington Post, April 2, 2008.
37 Noah Shactman, U.S. Spies Buy Stake in Firm That Monitors Blogs, Tweets, Wired, October 19, 2009 at http://www.wired.com/dangerroom/2009/10/exclusive-us-spies-buy-stake-intwitter-blog-monitoring-firm.
38 Shane Harris, FBI, Pentagon Pay For Access to Trove of Public Records, National Journal., Nov. 11, 2005 at http://www.govexec.com/storypage.cfm?articleid=32802; Robert
OHarrow Jr., In Age of Security, Firm Mines Wealth Of Personal Data, Washington Post, January 20, 2005, at http://www.washingtonpost.com/wp-dyn/articles/A222692005Jan19.html.
39 Harris, supra n. 16 (quoting FBI spokesman Ed Cogswell).
40 Hiawatha Bray, Google Subpoena Roils the Web, U.S. Effort Raises Privacy Issues, Boston
Globe, January 21, 2006 at http://www.boston.com/news/nation/articles/2006/01/21/
googlelsubpoenalroilslthelweb/.
41 Miguel Helft, Google Told to Turn Over User Data of Youtube, New York Times, July 4,
2008 at http://www.nytimes.com/2008/07/04/technology/04youtube.html.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00076
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
73
Courts have uniformly recognized that government requests for records of which
books, films, or other expressive materials individuals have received implicate the
First Amendment and trigger exacting scrutiny.42 These cases are grounded in the
principle that the First Amendment protects not only the right of individuals to
speak and to express information and ideas, but also the corollary right to receive
information and ideas through books, films, and other expressive materials.43 Within this protected setting, privacy and anonymity are vitally important. Anonymity
exemplifies the purpose behind the Bill of Rights, and of the First Amendment in
particular, because, among other things, it serves as a shield from the tyranny of
the majority. 44 An individual may desire anonymity when engaging in First
Amendment activitieslike reading, speaking, or associating with certain groups
because of fear of economic or official retaliation, . . . concern about social ostracism, or merely . . . a desire to preserve as much of ones privacy as possible. 45
The Supreme Court has also recognized that anonymity and privacy are essential
to preserving the freedom to receive information and ideas through books, films, and
other materials of ones choosing. For example, in Lamont v. Postmaster General,
the Court invalidated a postal regulation that required the recipient of communist
political propaganda to file a written request with the postmaster before such materials could be delivered.46 The regulation violated the First Amendment because it
was almost certain to have a deterrent effect . . . Any addressee [was] likely to
feel some inhibition in sending for literature knowing that government officials
were scrutinizing its content.47 Forced disclosure of reading habits, the Court concluded, is at war with the uninhibited, robust, and wide-open debate and discussion that are contemplated by the First Amendment. 48
These words ring equally true today in the Information Age, with the prevalence
of the Internet and other new technologies. Although these technological advances
provide valuable tools for creating and disseminating information, the unprecedented potential for government and companies to store vast amounts of personal
information for an indefinite time poses a new threat to the right to personal privacy and free speech. In In re Grand Jury Subpoena to Amazon.com, the district
court recognized this reality in holding that a grand jury subpoena to Amazon requesting the identities of buyers of a certain sellers books raised significant First
Amendment concerns.49 The court explained its concern over the chilling effect that
would flow from enforcing such a subpoena in the age of the Internet, despite its
confidence in the governments good-faith motives:
[I]f word were to spread over the Netand it wouldthat [the government] had
demanded and received Amazons list of customers and their personal purchases, the chilling effect on expressive e-commerce would frost keyboards
across America. Fiery rhetoric quickly would follow and the nuances of the subpoena (as actually written and served) would be lost as the cyber debate roiled
itself to a furious boil. One might ask whether this court should concern itself
with blogger outrage disproportionate to the governments actual demand of
Amazon. The logical answer is yes, it should: well-founded or not, rumors of an
Orwellian Federal criminal investigation into the reading habits of Amazons
customers could frighten countless potential customers into canceling planned
online book purchases, now and perhaps forever. . . . Amazon . . . has a legitimate concern that honoring the instant subpoena would chill online purchases
by Amazon customers.50
The Internet is, and must remain, the most open marketplace of ideas in the history of the world. In order to guarantee this, we must provide consumers with the
tools they need to control their personal information and meaningful mechanisms
42 In re Grand Jury Subpoena to Kramerbooks & Afterwords Inc., 26 Med. L. Rptr. 1599,
160001 (D.D.C. 1998) (Dkt. No. 21, Ex. B) (requiring government to show compelling interest
and a sufficient connection between its investigation and its request for titles of books purchased
by Monica Lewinsky); Tattered Cover, Inc. v. City of Thornton, 44 P.3d 1044, 1053 (Colo. 2002)
(holding that search of booksellers customer purchase records necessarily intrudes into constitutionally protected areas).
43 See, e.g., Va. State Bd. of Pharmacy v. Va. Citizens Consumer Council, 425 U.S. 748, 757
(1976) (right to receive advertisements); Stanley v. Georgia, 394 U.S. 557, 564 (1969) (films);
Bantam Books v. Sullivan, 372 U.S. 58, 64 n.6 (1963) (books).
44 McIntyre v. Ohio Elections Commn, 514 U.S. 334, 357 (1995).
45 Id. at 34142.
46 Lamont v. Postmaster General, 381 U.S. 301, 302 (1965).
47 Id. at 307.
48 Id. (quoting New York Times Co. v. Sullivan, 376 U.S. 254, 270 (1964)).
49 246 F.R.D. at 57273
50 In re Grand Jury Subpoena to Amazon.com, 246 F.R.D. at 573.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00077
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
74
for assuring privacy and protecting the robust rights established by the Constitution.
VII. Solutions exist
Reasonable and workable solutions exist for grappling with the problems of excessive data collection. While the technology is new, the problem is not. As the preceding case law demonstrates, as a society we have always been concerned about
problems like judging or attacking individuals based on their reading or viewing
habits. That is why 48 states protect public library reading records by statute.51
Congress has also recognized the privacy interests of users of expressive material
and created strong protections in several other contexts. The Video Privacy Protection Act prohibits disclosure of video rental records without a warrant or court
order.52 The Cable Communications Policy Act similarly prohibits disclosure of cable
records absent a court order.53
Moreover, more than 30 years ago the U.S. Department of Health, Education and
Welfare (now the Department of Health and Human Services), crafted basic privacy
principles to protect personal information.54 Called the Fair Information Practice
Principles (FIPPs), they have become the basis for comprehensive privacy laws in
most of the industrialized world as well as sector specific privacy laws in the United
States.55 In 2008 the Privacy Office of the Department of Homeland Security formally adopted them in its analysis of DHS programs. And in a recent report, the
Department of Commerce recommended that the FIPPs as described by DHS be
adopted as the basis for Internet regulation.56
The FIPPs stand for eight relatively straightforward ideas:
Transparency: Individuals should have clear notice about the data collection
practices involving them.
Individual Participation: Individuals should have the right to consent to the use
of their information.
Purpose Specification: Data collectors should describe why they need particular
information.
Data Minimization: Information should only be collected if its needed.
Use Limitation: Information collected for one purpose shouldnt be used for another.
Data Quality and Integrity: Information should be accurate.
Security: Information should be kept secure.
Accountability and Auditing: Data collectors should know who has accessed information and how it is used.
While some adjustments will have to be made to conform to new technologies,
international Internet data collection practices, as well as the data collection practices of other sectors of the U.S. economy, are already governed by the FIPPs.57 To
imply as some have done that application of these regulations in this case would
cause serious harm to the Internet and e-commerce seems overstated at best.
These protections must be embodied in law, not just in industry practice. For
years government agencies have called on industry to provide privacy protections for
consumers. However, as a recent Federal Trade Commission report explains, selfregulatory efforts have been too slow, and up to now have failed to provide ade51 See, e.g., N.Y. C.P.L.R. 4509; Cal. Gov. Code 6267, 6254(j). The two states that do not
have library confidentiality laws are Hawaii and Kentucky. However, the Attorney Generals Offices in each state have issued opinions in support of reader privacy. Haw. OIP Opinion Letter
No. 9030 (1990) (disclosure of library circulation records would result in a clear unwarranted
invasion of personal privacy); Ky. OAG 82149 (1982) (all libraries may refuse to disclose for
public inspection their circulation records. . . . [W]e believe that the privacy rights which are
inherent in a democratic society should constrain all libraries to keep their circulation lists confidential.).
52 18 U.S.C. 2710(b)(2)(C), 2710(b)(2)(F), 2710(b)(3).
53 47 U.S.C. 551(h).
54 For a brief history on the principles please see Robert Gellman, Fair Information Practices:
A Basic History at http://bobgellman.com/rg-docs/rg-FIPShistory.pdf.
55 Directive 95/46/EC on the protection of individuals with regard to the processing of personal
data and on the free movement of such data, October 24, 1995; Fair Credit Reporting Act
(FCRA), 15 U.S.C. 1681 et seq.
56 Department of Commerce, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework, December 2010.
57 Id.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00078
Fmt 6633
Sfmt 6621
SCOM1
PsN: JACKIE
75
quate and meaningful protection. 58 One example illustrates this fact well. In 1999
and 2000 when behavioral targeting first attracted regulatory attention, an industry
group, the Network Advertising Initiative (NAI), claimed that self-regulation was a
solution and that all NAI members would follow a common code of conduct.59 As
regulatory attention faded, so did participation in the NAI. By 2003 it had only two
members. There is no reason to believe that things would be different now.
It is important to note that technology is already moving to help. Browser manufacturers are creating technical mechanisms so that web surfers can indicate their
preference not to be tracked.60 If given the force of law through the passage of a
Do Not Track law, those mechanisms set a solid foundation for beginning to protect personal information online.
VIII. Conclusion
The current online data collection practices create detailed profiles on each of us.
These practices are neither benign nor anonymous. They harm consumers and directly impact their fundamental rights. They are also unpopulareven when explicitly tied to the provision of free services. Good solutions exist and have been adopted
in other countries and other parts of the U.S. economy. The Committee should look
to these solutions like the Do Not Track mechanism and adopt legally enforceable
rules to protect consumers and end this profiling.
Senator KERRY. Well thats a pretty far reach.

[Laughter.]
Senator KERRY. I mean its a big concept. So Im not suggesting
youre reaching. Its just its a big statement obviously about a potential downside.
Its just you, us and thats it. Thats all thats left. Im sorry.
[Laughter.]
Senator KERRY. But I want to probe a few things then well get
you all out of here before too, too long, if I can.
So Mr. Calabrese, youve sort of drawn this potential danger picture, which is appropriate, in front of us. Whats the appropriate
response to that in your judgment?
Mr. CALABRESE. Well I mean weve heard a lot of great responses. I mean, I think we can begin with the Do Not Track mechanism which again, if backed by law gives people the opportunity
to sort of opt-out of this state. Its not enough on its own.
Senator Kerry, the principles that you described, the ability to
give consumers control over their information is vital to this as
well. I think Do Not Track is a part of that. But its also about
sharing information collected by a first party. Just because I want
a company to collect my information doesnt mean I want them to
use it for everything. I may want to limit that. And thats
Senator KERRY. Is there a balance here in your judgment between the obviously very important interest that youre highlighting and also the commercial, economic interest that we all
have in maintaining the viability needed to save a growing enterprise?
Mr. CALABRESE. Oh, there absolutely is a balance. But we need
to setIm sorry.
Senator KERRY. No, go ahead.
58 Federal Trade Commission (Bureau of Consumer Protection), A Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for
Businesses and Policymakers, December 1, 2010.
59 World Privacy Forum, Network Advertising Initiative: Failing at Consumer Protection and
at Self-Regulation, Fall 2007 at: http://www.worldprivacyforum.org/pdf/WPFlNAIl
reportlNov2l2007fs.pdf.
60 Julia Angwin, Web Tool on Firefox to Deter Tracking, Wall Street Journal, January 24,
2011.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00079
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
76
Mr. CALABRESE. There is a balance. My fear, candidly, is that
right now theres no legal protection. And theres a great deal of incentive.
I mean Americans are some of the greatest businessmen and
businesswomen in the world. If you give them an economic incentive and say theres an economic incentive to track people online.
They will do a really good job of it.
So I think we need to put controls in place to make sure that the
consumer is part of that process.
Senator KERRY. And how far do those controls have to go if the
consumer has knowledge? I mean one of the problems is weve
learnedI dont know if I have statistics here or not. I dont think
I do.
But we have found historically that, you know, people consistently say well this is something Im really super, super concerned
about but then they tend to engage in practices on the Internet
itself that sort of belie that a little bit.
Mr. CALABRESE. Sure. Well, I think part of that is they really
havent had meaningful choice up to this point. Its been sort of a
take it or leave it approach. And so its hard to expect people to
invest time and energy in something
Senator KERRY. I think that a lot of folks at the table would disagree that they dont have meaningful choice.
Mr. CALABRESE. Sure. I think they would. By allbut I mean the
fact that I cant point to a law that says I control my personal information makes, you know, makes memakes it hard for me to
tell a consumer that they in fact, do have that control. I mean, a
companys promises are important but not enough.
Senator KERRY. Who else? Anybody want to speak to that, sort
of the balance?
Mr. ANDERSEN. Im happy to speak to it for a moment.
Senator KERRY. Go ahead, Mr. Andersen.
Mr. ANDERSEN. Microsoft is obviously involved in online advertising. We also provide tools to consumers to help them protect
themselves from activities that they may view as tracking and also
spam and things like that as well. So were sort of in a somewhat
unique position of having to make sure that were looking at both
sides of the equation.
In the testimony that I submitted we did provide some statistics
about the incredible growth of online advertising, and pointed out
that it really is fueling a lot of the content available on the Internet today. I do think that it is important to make sure that that
is kept in mind as one thinks about legislation.
At the same time consumer trust is incredibly important to our
company. We know that users want to be in control of the data
that is collected about them and how that data is used as well. And
so were endeavoring to make sure that they have the tools available to them to make sure that they are in control.
Senator KERRY. What does that mean, tools available to them?
Mr. ANDERSEN. What I mean by that? Ill give you an example
from Internet Explorer browser. So we have this feature called
Tracking Protection that weve introduced this week with Internet
Explorer. Its available on the product. From the menu, you can select a feature called tracking protection. And what that will
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00080
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
77
Senator KERRY. Select that when you download it or do you select that every time it comes up? Is there an icon on your
Mr. ANDERSEN. Thats a good question. When you have installed
the product there are menu items that are available to you to
choose from.
Senator KERRY. Is that in the initial installation because I know
sometimes when you download something you get a whole menu of
initial installation, you know, some signs that shows up more than
it does than other times. It can be more bold faced than other
times. You can miss them sometimes.
I mean, how does it show up?
Mr. ANDERSEN. Thats correct. It would not be part of your installation process. You wouldnt be asked to choose among different
settings at the beginning of your installation process.
What you would do is after youve installed the product you
would choose from the menu of different controls that you have to
place.
Senator KERRY. Do you have to choose to go to the menu or does
the menu show up automatically?
Mr. ANDERSEN. Youd have to choose the menu.
Senator KERRY. So youd have to go to the menu.
Mr. ANDERSEN. Yes, you would.
Senator KERRY. It wouldnt be like a privacy warning, the original warnings where you have to sign up and say, I agree in order
to proceed forward. There wouldnt be a stop, you cant proceed forward until youve answered it.
Mr. ANDERSEN. Thats correct.
Senator KERRY. So a lot of people say, well, thats not really an
in your face choice.
Mr. ANDERSEN. We understand that perspective, obviously. I
think
Senator KERRY. I mean Im sure that when you really want to
get somebodys attention you guys know how to do it.
[Laughter.]
Mr. ANDERSEN. Weve been pretty successful at doing that, yes.
Senator KERRY. So, does this rise to that level or does it not?
Mr. ANDERSEN. Well, its a good question. I think that what we
found is that, you know, people want to experience the full Internet
when they use a browser product. And they want to receive the
personalization that theyre able to get by using the full Internet.
At the same time theres many people who want to have a choice
and want to have tools available to them that are easy to access
to the product to be able to
Senator KERRY. No one is denying the choice. Its just a question
of how boldly its there. I mean, you know, as you said, you know
how to get peoples attention. Everybody does in the business. And
things keep popping up and popping up and youve got to figure out
how the hell to get them away sometimes.
And then there are things that dont pop up. And you cant find
or theyre harder to find. I think thats really at the center of this
to some degree. Theres got to be some sense of, you know, fair play
and transparency and accountability in that.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00081
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
78
Mr. ANDERSEN. Absolutely. Its absolutely a big part of the discussion is that at what point along the user experience should you
be affirmatively giving users a choice to make a decision.
Senator KERRY. Let me ask a blunt question. And maybe Mr.
Montgomery this is in your area and someone else at the table perhaps into it, Im not sure. In fact before I ask that question let me
come back to Intuit, if I can.
Intuit, you were commenting, Ms. Lawler, about the four principles that you apply. And theyre admirable. Theyre terrific. And
you talk about income tax, health, vendor links, all these things
that you manage.
But isnt that a very different kind of relationship and business
than some other businesses. Which therefore makes it easier for
you to frame this kind of a wow, were able, you know, were going
to protect you because in fact your whole thing is the protection of
the relationship with the customer. A lot of other people may not
have that kind of a stake, you know.
People can come and go as long as the traffic is sufficient if
theyre able to track enough of what theyre doing. There may be,
as Senator Isakson said, a sort of a commodity value to the information they have thats sufficient to encourage them. There may
be better economics on that side of the ledger than on the other
which encourages them therefore to chase that information rather
than to be as protective as you are.
Does that make sense the distinction Im drawing?
Ms. LAWLER. Yes, Senator, it does. Our customers trust is really
critical to us. And you talked about the nature of the sensitive information that we have and the relationship that we have with our
customers is that theyre using our services and products to manage their personal life, their personal finances, to manage their
businesses online.
So we have actually gone directly to our customers and asked
them whats important to them. And understanding that while
there is that sensitive information there are other aspects of their
interaction with us that might not be, if it was another company
treated in the same, more sophisticated way
Senator KERRY. So might you agree therefore that if you go to
a retail outlet of some kind, perhaps, they have a different interest? And are there different stakes as a result? Would there be a
different value level of protection as a result of the difference in the
activity?
Ms. LAWLER. I think this is why we are talking about a principles-based approach based on industry sector type of data use. So
clearly is data more sensitive in a retail environment? Maybe
somewhat less so, but one of the things that was very clear from
our customers is that in all contexts whether it is more shopping
related data or whether its related to their personal finances is
that, while they may not read privacy policies, they really care
about how their data is used. They want to understand that
through clear, open, transparent explanations. And actually the
more clear and open you are about that, the less they want to be
fed with choices on a constant basis. What actually mattered to
them was something that was very contextual and relevant that related to their experience.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00082
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
79
So when we think about that and think about our principlesbased approach we would look at something that was flexible that
worked with our environment but also could be adapted to different
industries, businesses and sectors of all sizes.
Senator KERRY. Well I appreciateI certainly have enormous respect for the concept, the data stewardship concept, that youve articulated. I think that putting that kind of statement out front its
the customers, not ours, is a high standard. And we have to sort
of figure out, you know, where that applies.
Mr. Montgomery, you may have a different feeling about that a
little bit.
Mr. MONTGOMERY. Not a different feeling at all, sir. I thinkI
think an important question that you asked a little earlier which
was about very clear notice that information has been collected so
nothing that is hidden under, you know, under a menu. And I
think that the self regulation program of which Microsoft, by the
way, is an important part, has an icon on every single advertisement that collects information.
So the billions of advertisements that go out every week that collect information will have an icon on them which will allow consumers to click on the icon. It will tell them exactly who is collecting information about them.
Senator KERRY. Is that the icon?
Mr. MONTGOMERY. Thats the icon in a somewhat expanded
version.
Senator KERRY. Whats the chart underneath it?
Mr. MONTGOMERY. Thats an example of an ad thats actually
running at the moment. And if you see in the top right hand corner. Thats a pervasive ad choices icon that consumers would click
on.
Once they click on the icon theyll be told a little about behavioral advertising, who is collecting information. And with one click
be able to opt-out. So its
Senator KERRY. Does Verizon get a piece of the action today?
[Laughter.]
Mr. MONTGOMERY. No, they do not, sir.
Senator KERRY. OK.
Mr. MONTGOMERY. So I think its an important point that you
raise that it needs to be out there. And we think this is going to
become like the recycling logo. Its going to build consumer trust
and at the end
Senator KERRY. How does that find its way to there now? Is that
a one to one relationship with Verizon or how does it work?
Mr. MONTGOMERY. So were busy rolling out the program to our
client base. I think that there are more than 100 major clients that
already subscribe. And clients just simply have to give us permission to go ahead. And most of our clients agree with it.
Then theres an underpinning technology that we employ that allows us to figure out exactly who is tracking so that we can apply
a compliance mechanism to the process. So if an advertiser doesnt
comply we contact them. Then we call them out publicly. And ultimately, you know, that information is made public and that
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00083
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
80
Senator KERRY. Does that presume our, kind of, consumer awareness about that or would there be some sort of a campaign that
makes people aware? How would you get the word out, so to speak?
Mr. MONTGOMERY. Yes. No, its a great question. In my testimony earlier I talked about a campaign that weve developed with
the Internet Advertising Bureau called Privacy Matters. And that
is already enjoyed over 600 million impressions against consumers.
And were going to extend that campaign so we can teach consumers about what information is collected, the importance of behavioral advertising and also the importance of having access to
free content on the Internet which is fueled by advertising.
Senator KERRY. So do you still accept the notion thatincidentally, I think its a terrific step forward and I congratulate you for
itbut do you still believe that you need a baseline law where
theres a safe harbor from preemptive prescriptive regulation?
Mr. MONTGOMERY. Sir, what we feel is very, very important in
this process is that self regulation is given an opportunity to work
in this process. And if it needs to work with a baseline law we will
be very happy to cooperate with you in any way to refine and ensure compliance around that as long as the self regulation can operate within it.
Senator KERRY. But suppose, I mean, if the FTC were to certify
that program or similar program like that and its compliant with
the fair treatment of peoples information given the way the net
works and the modern technology thats available and the low cost
of collection and so forth, couldnt collectors of information outside
of your program wind up doing a lot of damage broadly in ways
that would be inconsistent with what youve said consumers ought
to have?
Mr. MONTGOMERY. Just to clarify, you mean, data trackers
Senator KERRY. Yes.
Mr. MONTGOMERY. Who are outside the program?
Senator KERRY. Precisely.
Mr. MONTGOMERY. I think that there are bad actors out there.
And one of theand we would absolutely support any way that we
could uncover those bad actors and who are doing anything to
harm consumers.
Senator KERRY. Well, since our approach is principles-based, basically, doesnt that give you the latitude within which to be able
to move?
Mr. MONTGOMERY. I think whats important is right now we have
over 5,000 companies subscribing to the self regulatory process.
And in that way weve got 5,000 policemen out there watching for
the bad actors. And we, in fact, interestingly last week we discovered some fraudulent practice on the Internet and handed it over
to the FBI for further investigation.
We hear this all the time amongst our, you know, our member
base where, you know, theyre looking out for that all the time. So
in summary, we absolutely would work with you in any way we
could to ensure consumer privacy and continued innovation.
Senator KERRY. Mr. Andersen, weve shared with you, with the
company, you, the drafts, current drafts, as with several of you.
And I wonder if you might just share with us your sense of sort
of where we are in that process now, the direction.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00084
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
81
Mr. ANDERSEN. From our perspective the process is going very
well. We absolutely appreciate the opportunity to be involved in the
process. We see the drafting process going in the direction we had
hoped for which is to establish baseline principles in the law that
we think are reasonable and we think that industry can and should
be able to sign up for it. So were very encouraged by it.
Senator KERRY. Appreciate that.
Ms. Lawler, what about you?
Ms. LAWLER. We also, excuse me, we also like the direction that
the proposal is going. We are generally supportive. We like the
principles-based approach. We like the consideration around codes
of conduct and safe harbor.
We look forward to working with you on refining the proposal as
it moves along.
Senator KERRY. Do you have a majoris there a major hurdle
in your judgment?
Ms. LAWLER. I would say that there arent any major hurdles. I
think where we would like to work with you would be on the level
of prescriptiveness of certain areas around notice and contacting.
Senator KERRY. OK. Well we look forward, obviously, to working
that through with you. And all of, you know, certainly.
Ms. LAWLER. Yes.
Senator KERRY. Certainly.
Ms. LAWLER. Theres very much that we do like in the bill, in the
proposal.
Senator KERRY. Good.
Ms. LAWLER. So we think theres a lot there to work with.
Senator KERRY. Good.
Ms. LAWLER. And in particular, you know, weve talked a lot
today about concern about bad actors. And you have companies
represented in this room that are high achievers, you know, set
very high standards. And I think what a principle based approach
that is outlined in the proposal currently will also help us is really
aim at the large mass of businesses, organizations in the middle,
that may not have the same level of resources or expertise in privacy issues that you see at this table.
And so, principles-based approach, using safe harbors as described in the proposal, I think is a real positive mechanism to
bring the large masses into a higher level of privacy protection.
Senator KERRY. Well, well work with you on that. Ive just been
noticed that they need me back in the office. So Ive got to run and
do that in a moment.
I think Colonel Khadafi doesnt believe in privacy or something
so Ive got to go deal with it.
[Laughter.]
Senator KERRY. Quick question if I can, Mr. Soltani. I want to
getyouve talked thoughtfully about the first party entity and the
website that you are directly interacting with and the third party
is some entity that the first party allows to interact with you and
so forth. It makes sense, very logical and we get it.
But weve been struggling a little bit with the cases where you
have a first party such as Facebook. And then Facebook tracks behavior in another site, et cetera. And given that the consumer had
a first party relationship with Facebook as long as notice is pro-
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00085
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
82
vided and choices provided for Facebook to acquire the information
is that a point somewhere in between the first and third party?
How do weweve been struggling with this a little bit.
Mr. SOLTANI. Its a great question. I believe in that context
Facebook is a first party and a third party. In the context when
you go and enter Facebook.com into your URL bar of your browser,
thats a first party interaction.
However, in the context where you are on say, the Washington
Post and there are Facebook widgets, buttons, objects on the page,
I believe that constitutes a third-party widget. The loading of a
third-party widget that then results in passive data collection I still
believe would fall under third-party data collection.
Its a little nuanced since users can also interact with that widget. And in the case where users knowingly interact with a widget
perhaps we can frame it as a first party interaction.
Senator KERRY. So where would the notice have to be? Would the
notice have to be the first time when you first sign up? This can
happen? Or does the notice have to occur each time, each face
page? How does it work?
Mr. SOLTANI. Since often these things are tied to identifiers I believe perhaps upon the setting of the identifier in the first party
context the notice could happen. So, your cookie could then be
later used to tie that activity to the third-party context.
We also want to be careful here around forced third party interactions, i.e., when you go to a website and a video starts playing
or an ad pops up that youre forced to dismiss, since you can actually compel users to require them to interact in a third party context.
I think we still want to frame it around meaningful interactions
with third party objects that consumers are aware of, and we might
consider that okay. All other passive data collection we would consider third party data collection.
Senator KERRY. OK. Weve got to work that through obviously.
And see how we can come out of it. But theres obviously some, you
know, some of this is, you know, does get into that nuance.
Mr. SOLTANI. Absolutely.
Senator KERRY. Whatever you want to call it, area. It gets tricky.
I think the principle that we want to have guide us is also to do
no harm even as we are protecting people. And I think, you know,
were going to try to balance that very, very carefully here.
So we will continue a thoughtful process here of engagement
with all of you to try. And Danny Sepulveda has been doing a superb job, I think, of reaching out and sitting with everybody.
I also want to thank as a slight nepotism here going on. But my
brother over at the Commerce Department, as General Counsel has
been involved in this without my instruction or engagement at all.
Theyve done this on their own. But I thank them for their input
which has been helpful in this process, enormously helpful.
And obviously we need to work with the Administration in order
to figure out where were going here.
I hope we can get a product where everybody is standing up and
saying this is good. This is something we can live with. We can
work with. And the consumer is really given a set of choices and
opportunities here that they dont have today to make an intel-
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00086
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
83
ligent guided selection as to where theyre heading and whats happening to their information.
And I think we can come out of there without upsetting the obvious commercial interests that we all want to encourage and that
are important to us. So on that note well adjourn here today. And
look forward to trying to get this thing into shape where we can
get it introduced.
Im working, as you know, with Senator McCain, very closely.
And hes got some interest in this as we go. But I hope that well
get to a point where we can introduce this in short order.
I think we need to do it. I think we need to do it soon. I think
everybody will benefit by doing this. And I look forward to getting
this accomplished. So thank you all very, very much for being here
today.
We stand adjourned.
[Whereupon, at 12:09 p.m., the hearing was adjourned.]
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00087
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00088
Fmt 6633
Sfmt 6601
SCOM1
PsN: JACKIE
A P P E N D I X
PREPARED STATEMENT OF HON. MARK BEGICH,
U.S. SENATOR FROM ALASKA
Thank you to Chairman Rockefeller and Senators Kerry and Pryor for their work
on this vital issue for Americans. Alaskans value their privacy so much there is a
right to privacy spelled out in the Alaska State Constitution. We dont want the government or private businesses invading our privacy.
Online privacy is one of the most important issues facing consumers today. I frequently hear from constituents regarding the privacy practices of companies or the
impact of the Internet on their lives. The Unites States Constitution clearly protects
Americans from unreasonable searches of their private information without a compelling reason, and theres no reason to believe Americans are any more apt to tolerate someone pulling private information for financial benefit through their actions
on the Internet.
I am particularly concerned about the pervasive nature of tracking on childrens
websites. I have an 8-year-old son who regularly uses the Internet and is extremely
proficient on computers. My wife and I regularly monitor his Internet usage, but
I cannot find out what companies target him, who has access to that information
and to which third parties this information is sold. Additionally, what protections
are in place to ensure he is not unknowingly downloading inappropriate or dangerous software? What sort of e-dossier is already being created by my sons Internet usage? Unfortunately, I believe there are few if any protections in place for this
most vulnerable population.
We must find a solution that will protect peoples online experience while enabling
the Internet to continue to grow and thrive. We cannot accept the wild west status
quo any longer. I look forward to working toward a solution in the 112th Congress.
RESPONSE
TO
WRITTEN QUESTIONS SUBMITTED BY HON. MARK PRYOR

HON. JON D. LEIBOWITZ
TO
General Privacy Questions

Question 1. Based on the FTCs December staff report, could you please highlight
for the Committee where you see the most harm posed to consumers due to a need
for better online privacy protections? Where do you think are the greatest risks to
consumer privacy?
Answer. The Commission staff continues to be concerned about harms that can
result from unauthorized disclosure of consumers information, including financial
harm such as identity theft; physical harm such as stalking; unwarranted intrusions
into consumers time, such as unwanted telemarketing calls and spam; and harms
that result from the denial of employment, insurance, and other goods and services.
In addition, consumers suffer harm simply from having their information used
without their informed consent. Consumers that provide information believing it is
private will lose trust in a company if the company makes that information public
without the consumers consent. Consumers believing they are simply searching for
information about a health condition online will lose trust in a company that sells
information about them without their knowledge. More broadly, consumer trust in
online services generally is damaged if companies collect and use data in ways that
consumers do not expect. The loss of consumer trust in online services would harm
both consumers and business by chilling consumers willingness to participate in online activities and electronic commerce.
The preliminary staff report asked for comment on several recommendations to
address these harms. For example, to address the problem of data falling into the
wrong handssuch as identity thieves and stalkers, the report recommends that
companies not collect unnecessary data, maintain better data security for the data
they maintain, and dispose of the data when they no longer have a legitimate business need for it. To avoid collection and use of consumers data without their in(85)
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00089
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
86
formed consent, the report makes recommendations on how companies can improve
transparency and obtain more informed choices.
Question 2. How can consumers be better educated about privacy risks and steps
they can take to protect themselves? Do consumers have the tools necessary to adequately protect themselves in todays world?
Answer. The Commission runs educational campaigns to teach consumers how to
protect their valuable personal information and make thoughtful decisions about
when it is shared and used. For example, the Commission manages the interagency
OnGuardOnline.gov campaign, which helps computers users avoid fraud, protect
their privacy and stay safe online. The OnGuardOnline.gov site has information to
help parents talk to their kids about the value of their personal information and
how to make responsible choices about where and how to share it. The Commissions
identity theft information for consumers (FTC.gov/idtheft) also provides tips and advice about how to protect sensitive information online and off. A wide variety of consumer educational materials, including many in Spanish, help consumers deter, detect, and defend against identity theft. For example, the FTC publishes a victim recovery guideTake Charge: Fighting Back Against Identity Theftthat explains
the immediate steps identity theft victims should take to address the crime.
However, the Staff Report noted that companies privacy practicesincluding the
collection, use, and transfer of consumer informationare often not transparent to
consumers; therefore collection or use of consumer information may occur without
their knowledge or consent. In such situations, consumer education is not adequate
to protect consumer privacy, which is why the Preliminary Staff Privacy Report
highlights the need for some of the burden surrounding privacy protection to shift
from the consumer to businesses. Thus, the Report asked whether industry can do
more to help consumers better understand how their information is collected and
used. As outlined in the Report, industry could incorporate privacy protections such
as data security, sound retention practices, and data accuracy into products and
services; offer simplified consumer choice; and inject greater transparency about
data collection and use into business practices.
Question 3. What do you think FTC oversight would provide that self-regulation
by the industry could not?
Answer. As an initial matter, the staff report does not take a position on whether
its recommendations should be implemented through legislation or self-regulation.
It is intended to provide guidance to industry, Congress, and policymakers as they
develop rules of the road in this area.
That said, whether or not legislation gets enacted, self-regulation will always play
an important role in protecting consumer privacy. The Commission staff has supported self-regulation in the past and continues to believe that self-regulation can
be an effective tool, as long as it is comprehensive, robust, effective and enforceable.
And under Section 5 of the Federal Trade Commission Act, the Commission can
take enforcement action against companies that break their promises to abide by
self-regulatory codes of conduct. This is an important component of ensuring accountability for self-regulatory programs.
Question 4. What steps should the industry take to assist citizens with knowing
what their digital life is like?
Answer. The Preliminary Staff Privacy Report contained a number of recommendations for industry to help people understand how their personal information is collected and used. In particular, the Report recommended simplifying
choices for consumers and increasing transparency.
Recognizing that the current model of lengthy privacy policies was ineffective in
informing consumers about information practices, the Staff Report recommended
that businesses simplify choices provided to consumers. For example, the staff report indicated that companies do not need to provide choice before collecting and
using consumers data for commonly accepted practices, such as product fulfillment.
For practices requiring choice, companies should offer the choice at a time and in
a context in which the consumer is making a decision about his or her data. This
will allow the consumer to focus on the choices that matter and make more informed decisions.
The Staff Report also recommended that companies increase the transparency of
their data practices, by, for example, making privacy notices clearer, shorter, and
more standardized, to enable better comprehension and comparison of privacy practices. The Report also recommended that companies consider providing reasonable
access to the consumer data they maintain, proportionate to the sensitivity of the
data and the nature of its use.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00090
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
87
RESPONSE
TO
WRITTEN QUESTIONS SUBMITTED BY HON. KAY BAILEY HUTCHISON

HON. JON D. LIEBOWITZ
TO
Question 1. Chairman Leibowitz, in his concurring statement to the FTC report,

Commissioner Kovacic expresses the concern that a Do Not Track mechanism on the
Internet could inherently reduce the quality of content provided, by lowering the
revenue currently derived from advertising and possibly even forcing some online
content providers to deny free access to those who opt out of tracking.
Has the Commission examined what the ramifications of do not track could be
on the quality of content provided online, particularly of content that is currently provided for free?
Will you commit to ensuring that this type of analysis will be part of the Commissions analysis before the final report comes out?
Answer. The Commission recognizes the need for an appropriate balance between
consumer choice about online tracking and ensuring continued innovation in this
area. As the Preliminary Staff Privacy Report noted, online advertising helps to support much of the content available to consumers on the Internet. Although the Commission is continuing to evaluate the comments received on its staff report, evidence
suggests a Do Not Track mechanism for exercising choice about behavioral advertising would have minimal impact on the free content available on the Internet and
on innovation. First, the Preliminary Staff Privacy Report noted that certain advertising, such as first party marketing and contextual advertising, would not be affected by a Do Not Track mechanism. Thus, this type of advertising would continue
to serve as a source of revenue for content providers.
Second, recent research from an organization working with the advertising industry suggests that if companies provide adequate transparency and consumer choice,
consumers will choose not to opt out in great numbers, because they have a greater
degree of trust in companies stewardship of their information. See Evidon (formerly
Better Advertising), Research: consumers feel better about brands that give them
transparency and control over ads, http://blog.evidon.com/2010/11/10/researchconsumers-feel-better-about-brands-that-give-them-transparency-and-control-overads/ (Nov. 10, 2010).
Finally, key industry stakeholders have responded very positively to the request
for development of a simple, easy to use Do Not Track system. Leading browser
companies have offered changes to their browsers to implement Do Not Track.
Mozilla, for example, has implemented a Do Not Track header for use by consumers
when they browse the web, and Microsoft has rolled out a Tracking Protection List
feature that allows consumers to block the collection of information by specified
third parties. Apple has announced a do not track tool in a test version of its browser. The advertising industry itself also appears to recognize the value of offering
simplified choice to consumers and has ramped up its effort to provide clearer disclosures and choice mechanisms after release of our preliminary staff report. Indeed,
most recently, several of the leading advertising industry trade associations have
agreed to work closely with Mozilla to determine how to incorporate Mozillas Do
Not Track feature into its industry self-regulatory effort. I believe these efforts demonstrate that improved consumer choice can be consistent with innovation.
As these developments take place, the Commission is continuing to analyze the
comments received on the Preliminary Staff Privacy Report, including those regarding the potential effects of a Do Not Track mechanism on innovation and the availability of free Internet content. The Commission also will continue to evaluate information about the costs and benefits of any such mechanism.
Question 2. The Commissions report calls for a privacy by design model that
includes the recommendation for companies to only collect information needed for
a specific business purpose. Some comments submitted on the report expressed concern that implementing such a restriction could become so specific that it limits innovation on new and potentially beneficial uses of data. How do you envision such
a restriction being implemented in a way that will allow for the continued innovation of new products and services necessary to keep American companies as leaders
in the global online world?
Answer. The goal of privacy by design is to guide and motivate businesses to develop best practices for incorporating privacy into their products and services during
the early stages of their development. Best practices that ensure that privacy solutions are compatible with business needs should not restrict innovation and will
likely be more flexible than government rules. To be clear, the principle of privacy
by design contemplates that businesses can and should collect information for their
legitimate business purposes; however, as discussed in the Preliminary Staff Privacy
Report, the concept of privacy by design also means the amount of data collected
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00091
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
88
and duration for which such data is retained should be limited by those legitimate
business needs. This reflects concerns that collected data may be retained by companies indefinitely, increasing the risk that the data may be compromised through a
security vulnerability or put to use in ways that consumers never would have expected and to which they would object. Staffs recommendation that companies implement a privacy by design approach is designed to encourage businesses simply
to think through the privacy and security risks associated with collecting more information than is currently needed from consumers and retaining it for longer than
necessary. The Commission has recognized these concerns in its enforcement program. For example, we have brought data security cases against companies that
kept shoppers credit card information, long after they had a business need to do
so. See e.g., In the Matter of BJs Wholesale Club, Inc., Docket No. C4148 (Sept.
23, 2005) (final consent order). In these cases, the credit card information was obtained by hackers. Had the companies taken more care in disposing of information
they no longer needed, consumer harm could have been avoided. Similarly, last year
Google collected personal information through its Street View carsthe company
claims to have inadvertently collected that information without any intention of
using it. Under the Privacy by Design approach recommended in our staff report,
Google would have tested its systems to ensure that it did not collect data it did
not need.
As these examples demonstrate, companies should assess privacy and security
risks as part of the innovation process and work to address them appropriately. For
example, although they may determine that continued collection of personal data is
necessary, they could try to anonymize such data to reduce privacy and security
risks.
We have received many comments on the concept of collecting and retaining data
for a specific business purpose, which we plan to address in the final report in
a way that furthers consumer privacy interests without impeding innovation.
Question 3. Chairman Leibowitz, FTC Commissioner Rosch has expressed serious
reservations about the new privacy proposal advanced in the FTCs staff report. He
claims that the current harm model of FTC enforcement has served the Commission well. If the FTC is correctly enforcing its statutory responsibilities to ensure
disclosure of material privacy policies and to hold companies accountable for those
policies, consumers already have information to make informed decisions about their
online privacy.
If thats the case, why is it necessary to adopt a new, broader regulatory framework for online privacy?
If privacy policies are too opaque for consumers to understand and if the FTC
is concerned that consumers may be misled, why wouldnt rigorous enforcement
of the FTCs Section 5 deceptive trade practices authority improve the clarity
of privacy policies by companies seeking to avoid enforcement actions?
Answer. First, I note that the report does not propose a new regulatory frameworkit simply provides a framework for industry best practices and potentially,
for legislation, if Congress chooses to enact it.
Second, I agree with you that robust enforcement of Section 5 is critical. We have
recently brought cases against companies like Google, Twitter, and Chitika, an online advertising network, alleging that their practices were deceptive. We have additional cases in the pipeline.
Third, Section 5 does not generally require companies to disclose their information
practices. If they choose to make statements about privacy, and those statements
are deceptive, the Commission may take action under Section 5. However, not every
long or opaque disclosure will be deceptive under Commission precedent. Regardless
of the threshold for Commission law enforcement actions, we believe that stakeholders should work together to improve transparency. Indeed, many companies recognize that providing clear disclosures to their consumers about their information
practices helps them maintain a positive relationship with their customers. Companies have an interest in promoting that relationship regardless of the prospect of
enforcement action by the FTC. The Preliminary Staff Privacy Report provides businesses with proposals for ways to simplify and improve disclosures, and we think
those steps would work well in this area while we continue to take action against
plainly deceptive practices.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00092
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
89
RESPONSE
TO
WRITTEN QUESTIONS SUBMITTED BY HON. MARK PRYOR

LAWRENCE E. STRICKLING
TO
Question 1. From your perspective, what were the two most important privacy
issues youd like to highlight in the Departments Commerce privacy green paper?
Answer. The Green Paper examines how the United States can strengthen its consumer data privacy framework while ensuring that this framework continues to encourage innovation in the digital economy. Instead of identifying specific consumer
data privacy issues that companies and policymakers should address, the Green
Paper focuses on recommendations that would help to create a policy framework
that better addresses increasingly intensive uses of personal data in the digital
economy. Two main issues emerged from this analysis.
First, consumers and businesses would benefit from the adoption of baseline, comprehensive Fair Information Practice Principles (FIPPs) in the commercial context.
Much of the personal data traversing the Internet falls into the gaps between existing Federal privacy statutes. There is also evidence that consumers who use the
Internet misunderstand the legal rules that apply to personal information collection
and use in the commercial context. These gaps in legal protection for personal data
leave consumers insecure and uneasy about how data about their activities and
transactions are collected, stored, and used. Widely adopted, comprehensive FIPPs
would help to fill these gaps and thereby increase consumer trust in the Internet.
Businesses would also benefit from comprehensive baseline FIPPs. Businesses
generally recognize that their sustainability depends on maintaining consumer trust
but find that the rules of the road are hard to discern. Applying a set of general
principles to commercial activities that are not covered by an existing Federal data
privacy statute would provide businesses with guidance as to what consumers and
enforcement agencies expect of them.
Second, fostering innovation within a consumer data privacy policy framework requires a flexible approach to implementing privacy protections. The Green Paper
proposes a framework in which the Department of Commerce would convene multistakeholder groupscomposed of representatives from industry, civil society, academia, and other government agenciesto define codes of conduct that are enforceable by the Federal Trade Commission under its current authority or through any
additional authority granted through baseline consumer privacy legislation. These
codes would provide guidance about how to apply FIPPs in specific contexts. The
multi-stakeholder process envisioned in the Green Paper would help to ensure that
these codes set forth practices that reflect evolving consumer expectations.
Question 2. What role does consumer trust play in the way users exchange information, goods and services over the Internet?
Answer. Protecting consumer trust in the Internet is a top policy imperative of
NTIA and the Department of Commerce. Consumer trust is essential to nurturing
the Internets growth, and protecting privacy is an important part of maintaining
consumer trust. When consumers entrust personal information to a company that
does business on the Internet, they expect that the company will handle it in ways
that are consistent with this relationship. If companies use information in ways that
are contrary to consumers expectations, then consumers may be reluctant to adopt
new Internet services and applications. Finally, consumer trust depends on more
than privacy. Issues of security, safety, and reliability also come into play. Whether
making purchases online, communicating with family members, or conducting business, consumers must know that they have control over their personal information.
As innovative new applications and services are developed, it is important that consumers know that their information is safe and that providers have clear rules
about how to respect individual privacy.
Indeed, the Department, in partnership with other Federal agencies and the private sector, is leading the implementation of an Administration effort to improve
consumer trust online: The National Strategy for Trusted Identities in Cyberspace
(NSTIC). The NSTIC envisions enhancing online privacy and security through services that provide credentials that improve upon the user name and password
schemes that are common online. The NSTIC proposes using technologies that
would provide individuals the option of obtaining a strong credential to use in sensitive online transactions. The NSTIC calls for the participants in this digital identity marketplace to implement privacy protections that are based on comprehensive
FIPPs. Developing enforceable codes of conduct through multi-stakeholder processes
is one way that the Department can work with the private sector to implement
these protections.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00093
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
90
Question 3. What do you envision the Departments role will be with respect to
privacy in the future?
Answer. We propose in the Green Paper an important role for the Department
of Commerce in convening stakeholders to develop enforceable codes of conduct that
implement comprehensive Fair Information Practice Principles (FIPPs) that the
Obama Administration supports as the foundation of Federal legislation in this
area. The Green Paper outlines a multi-stakeholder process in which the Department would convene companies, civil society groups, academics, and the FTC and
other government agencies to produce enforceable codes of conduct. An open development process that includes industry and consumers can help align these codes
and consumer expectations.
Another important role for the Department of Commerce is to work toward greater interoperability between the U.S. consumer data privacy framework and those of
our allies and trading partners. Companies would benefit from the potential reduction in multiple compliance burdens, and U.S. consumers would benefit from more
consistent cross-border consumer data privacy protections. Both objectives are important to the Department of Commerce, and the Department and the Administration are committed to working with Congress to develop an appropriate legislative
approach.
RESPONSE
TO
WRITTEN QUESTION SUBMITTED BY HON. MARK BEGICH

LAWRENCE E. STRICKLING
TO
Question. What steps should the industry take to assist Citizens with knowing
Answer. Enhancing transparency is one important step that companies can take
to help consumers understand the role of personal data collection and use in the
digital economy. As the Department of Commerces Green Paper on consumer data
privacy explains, enhanced, effective transparency requires providing consumers
with information that is accessible, clear, salient, and comprehensible. Current practices surrounding disclosures of privacy practices generally fall short of this standard; the privacy policies that are the primary mechanism for explaining what information companies collect and how they use are often lengthy, dense, and difficult
to comprehend. Providing simpler statements of these practices, and providing them
at times when consumers can act on this information, are ways that companies can
provide consumers with greater insight into, and control over, their digital lives. Online tools or interfaces that allow consumers to understand and manage the collection of personal information can also provide a link between enhanced transparency
and enhanced user control.
The Department of Commerce has also recommended that companies regard enhanced transparency as part of a more comprehensive approach to handling personal information. To this end, the Green Paper encourages the broad adoption of
comprehensive Fair Information Practice Principles (FIPPs).
RESPONSE
TO

JOHN MONTGOMERY
TO
Question 1. Mr. Montgomery, you mention at the beginning of your testimony the
importance of behavioral advertising to the Internet. Do you believe the enactment
of baseline privacy principles in the form of Federal legislation would have an effect
on targeted advertising? If so, what would it be? And, in turn, what impact might
that have on the larger online ecosystem?
Answer. GroupM supports efforts to promote transparency and choice in the marketplace and believes industry self-regulation is the appropriate approach for addressing concerns with online advertising while ensuring the ad-supported web continues to provide consumers benefit and fuel the Internet economy. A major benefit
of self-regulation is its ability to respond quickly to changes in the technology, business practices, and consumer preferences. It is this adaptive nature of self-regulation that makes it so well suited for the complex Internet ecosystem.
Our business is built on the belief that both consumers and companies benefit
when advertising provides timely and relevant information to those consumers who
are most likely to be interested. While not deliberate, a law could reduce the relevancy and effectiveness of advertising. There is already strong evidence that privacy regulations in the European Union have resulted in an average 65 percent re-
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00094
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
91
duction in the effectiveness of online ads.1 We have concerns that a U.S. law could
similarly hinder innovation in the advertising and marketing industry, undermining
economic support for valuable content and services and possibly encouraging higher
fees to consumers. Inhibiting innovation would restrict growth in one of the healthiest industries in a troubled U.S. economy. These conditions would discourage venture capital funding for new entries, and in so doing, stall job growth in the industry.
Question 2. Mr. Montgomery, there has been a lot of discussion about whether industry best practices and self-regulatory efforts are effective. Many believe that
market forces will push companies toward such industry-led efforts and that the
FTC has the existing legal authority to hold companies accountable as good stewards of consumer information. Which do you believe is best for consumers: having
the Federal Government act as a legal backstop to industry-led self-regulation or
having the government set top-down prescriptive rules on how to collect and use
consumer data? What are some of the advantages and concerns with each approach?
Answer. Industry-led self-regulation is preferred over top-down, prescriptive rules
imposed by government. GroupM believes self-regulation is the most effective means
for addressing concerns with online behavioral advertising. Self-regulatory codes are
adaptive and may be quickly modified to address changes in consumer preference
and technology. In addition, this approach helps preserve an environment that fosters online innovation, ensures advertising continues to help fuel the Internet economic engine, and supports a vibrant, ad-supported offering of products and services
online that consumers now expect to receive for free or at a low cost. GroupM believes that the Digital Advertising Alliances (DAA) Self-Regulatory Principles of
Online Behavioral Advertising (Principles) are comprehensive yet flexible enough
to respond to the complex and rapidly evolving online advertising ecosystem. The
Principles set-forth consumer-friendly standards that require participants to provide
enhanced transparency and consumer choice with respect to the collection and use
of data for online behavioral advertising purposes.
The DAAs program has been designed for its participants to self-police, promote
compliance, and, where necessary, report non-compliant companies to the appropriate government agencies. This private-public collaboration where the Federal
Government acts as a legal backstop augments the self-regulatory programs credibility and reinforces the programs accountability measures.
The DAA program is backed by independent enforcement programs working in
concert to monitor and enforce compliance with the Principles, as well as manage
consumer complaint resolution. These accountability programs are live and being
administered by the Council of Better Business Bureaus (CBBB) and the Direct
Marketing Association (DMA). The DMA and CBBB Accountability Programs are
empowered under the Principles to provide a public report on entities that do not
come into compliance and to refer such cases to the Federal Trade Commission
(FTC). The FTC through its authority under Section 5 of the FTC Act can enforce
against entities that fail to honor its commitment to adhere to the Principles.
Through industry self-policing, more cops are on the beat, which reduces the burden
on the FTC.
Question 3. While a large portion of the online industry is participating in the
self-regulatory program, it has not reached 100 percent. What can be done to increase participation? Is it possible to do get full participation through a self-regulatory program?
Answer. It is very possible to achieve full participation in the DAA program. The
leading marketing and advertising trade associations, representing more than 5,000
companies, have committed to this self-regulatory approach because they strongly
believe in the programs purpose. This unprecedented collaborative effort has
brought together representatives of the entire advertising ecosystem to develop and
implement principles for the use and collection of data in this important area to the
economy. Already, over 60 companies are participating in the DAAs Consumer
Choice Page (http://www.aboutads.info/choices/) and billions of ad impressions
have been delivered with the Advertising Option Iconthe icon appearing in or near
ads or on web pages where data is collected or used for online behavioral advertising
purpose. This icon is used by participants to provide notice concerning online behavioral advertising practices and link to a universal choice mechanism.
The launch of the DAA program is resulting in a change in industry practice.
Companies are starting to require their partners to adhere to the Principles. This
1 According to a study conducted by Avi Goldfarb and Catherine E. Tucker, Privacy Regulation and Online Advertising, available at http://papers.ssrn.com/sol3/papers.cfm?abstract
lid=1600259.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00095
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
92
is driving participation in the program. In addition, the trade associations behind
this self-regulatory effort and the Accountability Programs are reaching out to companies to promote program participation. To help companies with compliance, the
DAA has selected three companies as approved providers to assist companies with
implementing the Principles. These approved providers services help companies to
provide enhanced notice and choice as required by the Principles.
RESPONSE
TO
WRITTEN QUESTION SUBMITTED BY HON. KAY BAILEY HUTCHISON

ERICH D. ANDERSEN
TO
Question. While a large portion of the online industry is participating in the selfregulatory program, it has not reached 100 percent. What can be done to increase
participation? Is it possible to do get full participation through a self-regulatory program?
Answer. The online ad industry, led by the Digital Advertising Alliance (DAA) and
of which Microsoft is a member, is working to increase participation in the self-regulatory program. Among the efforts to drive participation is increased outreach to
companies to promote participation and providing assistance to implement the program. Through these efforts the DAA believes it is possible to achieve full participation in its program.
RESPONSE
TO
WRITTEN QUESTIONS SUBMITTED BY HON. JOHN ENSIGN

ERICH D. ANDERSEN
TO
Question 1. How would you say the self-regulatory approach is working in the
marketplace to protect consumers thus far?
Answer. While still in the early stages of roll-out, the self-regulatory approach for
online advertising is on a sound path. Over 60 companies, including Microsoft, are
already participating in the Digital Advertising Alliances (DAA) Consumer Choice
Page resulting in an Advertising Option Icon being delivered on billions of online
ad impressions. The icon not only provides notice to consumers about online behavioral advertising practices, but also provides a link to a universal choice mechanism.
With the leading marketing and advertising trade associations backing the self-regulatory approach the expectation is that more companies will participate in the Consumer Choice Page.
The last few months have shown that industry can act quickly and effectively. For
example, in that short period of time, the three major browser vendors have announced do not track tools that offer unprecedented privacy protection. Even the
FTC has recognized and commended the progress industry has made in acting
quickly and effectively to protect consumer privacy.
Question 2. Mr. Andersen, you talked about the importance of industry self-regulation and best practices. How would your ability to protect consumers be compromised if we went in the opposite direction?
Answer. Our ability to protect consumers would be compromised by the adoption
of impractical proposals. Legislation becomes overregulation if it contains preferences for particular services, solutions, or mechanisms to provide notice, obtain
choice, or protect consumer data, or if it mandates prescriptive rules that may be
of limited effect or that burden businesses without yielding commensurate privacy
benefits. Seeking input from interested stakeholders is one way to ensure the right
balance is struck.
Question 3. Mr. Andersen, your testimony highlighted the need to promote continued innovation in technology and online services. Fostering and supporting innovation in the marketplace is a top priority of mine, and there is no question that innovation is crucial for creating jobs and economic growth. In your view, what is the
best way to encourage innovation while still protecting consumers online privacy?
Answer. There are a number of ways to encourage innovation while still protecting consumers online privacy:
Recognition of the role of self-regulation: while comprehensive privacy legislation may provide a set of baseline protections, self-regulation can build upon
those protections and adapt them to specific contexts. Consumers have different
privacy expectations depending on whether they are interacting with online retailers, social media services, search engines, or online ad networks. Self-regulatory principles can be tailored to these different contexts. In addition, self-regulation can address emerging technologies or business models.
Ensure there are no technology mandates.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00096
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
93
Allow for operational use of data. This means that companies would be able
to use data to provide the service the user wanted, improve services, protect
against fraud, and generally operate their business.
RESPONSE
TO
WRITTEN QUESTIONS SUBMITTED

BARBARA LAWLER
BY
HON. MARK PRYOR
TO
General Privacy Questions

Question 1. How does on-line information collection usually work?
Answer. Intuit does not engage in online tracking. However, as a technology, online information tracking typically works through the use of cookies which are random, identifiers that have no significance on their own. These cookies may be limited in their duration to a particular session that a customer is having with a
website, or they may persist for longer periods of time. In typical first party online information collection, these cookies can help a company understand several
thingsthe time spent on the site, the pages visited (and for how long), the navigation, or path that the visitor took, etc. This information is frequently used to improve the performance and usability of a companys website. Information may also
be collected for 3rd party usewhere the kinds of information mentioned above
may be shared across several different entities, typically advertisers, web-site publishers, and companies that help to match advertisers to publishers.
Question 2. How does behavioral advertising differ from contextual advertising?
Answer. Behavioral advertising typically refers to the delivery of advertising messages based on the interests inferred from a persons on-line behavior, over time.
It may include the kinds of searches that he/she does; the types of websites visited,
etc. The combination of these pieces of information can be used to deduce a persons
interests, in which case advertisements related to those possible interests can be
shown to the individual.
Contextual advertising typically involves a single point in time matching of advertising content to someone based on a specific action that the individual takes.
The classic example is the advertisements, or sponsored links, which show up in
the search results for a particular search query. For example, if someone were to
search for information on car tires, he/she will likely see advertisements from tire
manufacturers/sellers based specifically on that search request.
Question 3. What evidence is there that behavioral advertising is effective?
Answer. There have been some studies done which have shown that people are
more likely to respond to advertising based on their inferred interests, than more
general advertising messages unrelated to the audience receiving them.
Question 4. What does online information collection mean for our childrens reputations?
Answer. Collection of information on children under 13 is regulated by the
COPPA. Intuits products and services are financial in nature and not intended to
be used by children.
We recognize the proliferation of social media and the use of it by minors. We
would expect that companies providing such services would do so lawfully, and in
a manner respectful of all individuals using such a service.
Question 5. To what extent is geo-location tracking a problem?
Answer. Geo-location information can be very useful to provide specific, highly relevant services to individuals, such as providing directions, identifying nearest services, etc. In all cases, however, the individual should understand that his/her geolocation information is being collected. It should also be retained and used for a very
limited period of time specifically to provide those relevant services to him/her. Once
the services have been delivered, the geo-location data should be deleted and/or removed from the service.
Question 6. Is Federal privacy legislation needed? If so, what should be the basic
elements of any privacy legislation?
Answer. We see the value in commonsense Federal privacy legislations that could
set rules of the road for companies to follow and clear the field of conflicting state
laws. As the digital economy has grown over the last decade, self-regulatory approaches have allowed many businesses to offer consumers many innovative products and services while incorporating meaningful privacy protections in ways that
fit the company size, structure, culture and industry. High performers that are committed to capturing and retaining their customers trust implement a range of selfregulatory approaches, from privacy seals to government sponsored codes of conduct
(such as the Dept. of Commerce Safe Harbor Program). Self-regulatory approaches
may fall short for new, small start-ups, nave companies or malfeasant companies.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00097
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
94
The same could be said for regulation as well. Its our belief that the most effective
way to protect consumers and support innovation is a principles-based approach,
covering Fair Information Privacy Practices creates a credible baseline that provides
the rules of the road.
Question 7. Should companies be held to higher standards with respect to our children and the way their information is handled?
Answer. The Childrens Online Privacy Protection Act (COPPA) sets a high standard with respect to children online. The FTC should provide rigorous enforcement
of COPPA.
Question 8. Are you concerned about employer or insurance discrimination based
on information collected about consumers online?
Answer. We would have to research this issue in order to comment on this question.
Other questions
Question 9. Your testimony demonstrates a strong commitment to privacy. Do you
believe that Intuits approach to privacy is generally followed by companies operating online? How would you suggest other companies integrate privacy protections
into their services?
Answer. Different businesses can offer consumers various innovative products and
services while incorporating meaningful privacy protections in ways that fits the
company size, structure, culture and industry. High performers like Intuit that are
committed to capturing and retaining their customers trust implement a range of
self-regulatory approaches, from privacy seals to government sponsored codes of conduct (such as the Dept. of Commerce Safe Harbor Program). Self-regulatory approaches may fall short for new, small start-ups, nave companies or malfeasant
companies. Its our belief that the most effective way to protect consumers and support innovation is a principles-based approach to legislation that creates a baseline
that provides the rules of the road. We believe that an emphasis on education and
advocacy through industry sector associations, business groups, small business associations and local chambers of commerce. This would be necessary for both regulatory and self-regulatory approaches.
RESPONSE
TO
WRITTEN QUESTION SUBMITTED

BARBARA LAWLER
BY
HON. MARK BEGICH
TO
Question. What steps should the industry take to assist citizens with knowing
Answer. We are committed to educating our customers about their data stewardship choices and what they can do to protect their personal information when interacting with our products. Consumers would benefit from additional direct education
and communication, such as PSAs through mass media, social networks and simple
and clear information company websites.
RESPONSE
TO

BARBARA LAWLER
TO
Question 1a. Ms. Lawler, your company is engaged in a variety of online businesses and is subject to several Federal and state privacy regulations. You know as
well as anyone that totally unrelated companies can be impacted in different ways
by the interconnected web of privacy laws. I fear that addressing a privacy issue
in one area could have unexpected ramifications in a totally different area. If this
Committee considers developing new online privacy legislation, what sort of pitfalls
should we look out for so that we can avoid such unintended consequences?
Answer. A principles-based legislative approach will have the highest probability
of success in protecting consumers while providing a flexible, level playing field for
a wide range of businesses holding different types of data for different purposes.
This would allow organizations to incorporate the necessary types of privacy protections for consumers while allowing flexibility on how the protections are implemented. It can be the optimal framework for a wide range of business, especially
small businesses, which are the backbone of the American economy. We are specifically concerned about requirements that provide risk to innovation and customer delight, that may limit the flexibility to try new options and methods of delivering
value to our customers in a rapid, iterative fashion. Examples include mandates to
require the use specific technologies or specific procedural mechanics, such as very
specific requirements regarding how and when notices are delivered, worded and
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00098
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
95
formatted; or rules that place too many controls on the first party use of data especially those uses that are already consistent with consumer understanding and expectations. Specific requirements can create overlapping rules for the exact same
sets of data; or specific words required for contractual agreements with third parties
can create confusion or inadvertent non-compliance. The Committee must also be
careful to avoid prescriptive mandates that attempt to address one set of concerns
with the Internet but could unintentionally limit or prevent other elements of the
Internet from functioning properlyfor example, the commendable effort to increase
transparency and choice related to behavioral tracking and advertising, if overly
proscribed, could inhibit software as a service applications functionality. As we developed the Intuit Data Stewardship Principles, our customers told us in multiple
rounds of research that they prefer the specificity of simple, plain languagePrinciples rather than the policy-based, business-speak language you or I might think
is better.
Question 1b. Is there an approach we can take to build upon or work within existing frameworks, such as HIPPA and Gramm-Leach-Bliley, rather than writing another separate statute?
Answer. At Intuit we have experience with applying different rules to overlapping
sets of data. Both HIPAA and GLB have their strengths and weaknesses; both are
based on recognized privacy principles, and yet take philosophically different approaches. HIPAA is designed to limit data uses and sharing beyond the first party
organization, while GLB is designed to enable data uses beyond the first party organization. And both contain elements of proscriptive requirements, notices being a
prime example.
We recommend starting from a fresh perspective that is principles based and does
not rely on procedural requirements.
Question 2a. Ms. Lawler, there has been a lot of discussion about whether industry best practices and self-regulatory efforts are effective. Many believe that market
forces will push companies toward such industry-led efforts and that the FTC has
the existing legal authority to hold companies accountable as good stewards of consumer information. Which do you believe is best for consumers: having the Federal
Government act as a legal backstop to industry-led self-regulation or having the
government set top-down prescriptive rules on how to collect and use consumer
data?
Answer. We believe the most effective solution would be a middle ground between
the two: A principles-based legislative approach will provide a wide range of businesses holding different types of data for different purposes to incorporate the necessary types of privacy protections for consumers while allowing flexibility on how
the protections are implemented. It can be the optimal framework for a wide range
of business, especially small businesses, which are the backbone of the American
economy.
Question 2b. What are some of the advantages and concerns with each approach?
Answer. There is an argument that market forces, policy-maker scrutiny, customer expectations are heading in right direction but will not fully cover all types
of organizationshigh performers, edge riders and the majority that are unaware.
Enforceable self-regulatory codes of conduct work for most businesshigh performers are provided opportunity to excel, and those who need rules of the road are
still able to complypreserving flexibility and the ability to innovate is key. As Congress considers rules of the road, take care to not be overly prescriptiveprotecting
online privacy while sacrificing innovation will not help consumers or the competitiveness of the American economy.
Question 3. While a large portion of the online industry is participating in the
self-regulatory program, it has not reached 100 percent. What can be done to increase participation? Is it possible to do get full participation through a self-regulatory program?
Answer. We believe that a good approach is an emphasis on education and advocacy through industry sector associations, business groups, small business associations and local chambers of commerce. This would be necessary for both regulatory
and self-regulatory approaches.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00099
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
96
RESPONSE
TO
WRITTEN QUESTIONS SUBMITTED

BARBARA LAWLER
BY
HON. JOHN ENSIGN
TO
Question 1. How would you say the self-regulatory approach is working in the
marketplace to protect consumers thus far?
Answer. As the digital economy has grown over the last decade, self-regulatory
approaches have allowed many businesses to offer consumers many innovative products and services while incorporating meaningful privacy protections to protect their
customers in ways that fit the company size, structure, culture and industry. High
performers that are committed to capturing and retaining their customers trust implement a range of self-regulatory approaches, from privacy seals to government
sponsored codes of conduct (such as the Dept. of Commerce Safe Harbor Program).
Self-regulatory approaches may fall short for new, small start-ups, nave companies
or malfeasant companies. The same could be said for regulation as well. Its our belief that the most effective way to protect consumers and support innovation is a
principles-based approach to legislation that creates a baseline that provides the
rules of the road.
Question 2. Ms. Lawler in your testimony you cite the value of principles-based
privacy legislation working in tandem with self-regulatory approaches and codes of
conduct, highlighting the importance of enabling industry flexibility.
Answer. A principles-based legislative approach will provide a wide range of businesses holding different types of data for different purposes the ability to incorporate the necessary types of privacy protections for consumers while allowing flexibility on how the protections are implemented. It can be the optimal framework for
a wide range of businesses, especially small businesses, which are the backbone of
the American economy.
Question 3. In your opinion, what would be the effect of over-prescriptive, onesize-fits-all regulation on your ability to protect the online privacy of consumers?
Answer. Intuits approach is to provide our customers a high integrity, trusted
end-to-end experience that ultimately results in customer delight. Proscriptive, onesize-fits-all approaches tend to emphasize form over functional value to consumers
(when was the last time you read the mandatory financial institution or HIPAA privacy notice?). Such an approach would force us to focus on procedural compliance
first and customer delight and innovation second. Our priority lies with providing
our customers with innovative ways to solve their financial problems while making
sure their data is protected.
Question 4. Can you give me specific examples of what types of industry regulation you would consider over-prescriptive?
Answer. We are specifically concerned about requirements that provide risk to innovation and ultimately hurt our ability to meet our customer needs, and limit the
flexibility to try new options and methods of delivering value to our customers in
a rapid, iterative fashion. Examples include mandates requiring the use of specific
technologies or specific procedural mechanics, such as very specific requirements
about how and when notices are delivered, how they are worded and formatted, or
specific words required for contractual agreements with third parties. As we developed the Intuit Data Stewardship Principles, our customers told us in multiple
rounds of research that they prefer the specificity of simple, plain language Principles rather than the policy-based, business-speak language you or I might think
is more descriptive.
Question 5. In your view, what is the best way to encourage innovation while still
protecting consumers online privacy?
Answer. We believe that the best way is through a principles-based approach that
could work in tandem with self-regulatory approaches and enforceable codes of conduct, which provide consistent guidance to all types and sizes of organizations, fill
the gaps between existing regulations. The principles-based approach is especially
critical to allow for flexible application by small businesses.
RESPONSE
TO
WRITTEN QUESTIONS SUBMITTED BY HON. MARK BEGICH

CHRISTOPHER R. CALABRESE
TO
Question 1. What steps should the industry take to assist citizens with knowing
Answer. While industry can take some limited steps to protect consumers, the
best way to improve public knowledge about digital life is for Congress to grant consumers control over their own personal information. If consumers had enforceable
rights, they would educate themselves about how to use them. In the current system, there is no advantage to consumers in learning key facts about their digital
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00100
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
97
life such as the entities that hold personal information or the tools used to monitor
web tracking. No matter how educated consumers become, they cant do anything
practical or beneficial with their knowledge. They can only participate online in a
take it or leave it way. They have no power to limit data sharing, access personal
profiles, or delete records. Consumers will only take the time to learn about the use
of their information if it is worth their time and effort to do so. That means giving
them the tools to police their own profiles and limit data sharing. My written statement elaborates in much more detail on the full range of enforceable rights the
ACLU believes should be available to consumers.
Given that reality, one useful step industry could take is to work with the Federal
Trade Commission (FTC) to reduce the complexity of their privacy policies. Because
the FTC can only penalize companies that engage in unfair and deceptive practices,
companies have incentives to avoid providing clear notice to consumers because that
notice could be used to create enforceable rights against them. Instead, they largely
write bloated privacy policies that describe company practices in such detail and legalistic jargon as to be incomprehensible to consumers. If companies commit to providing simplified policies with common language and definitions that can be compared between companies (like nutrition labels on food), it would be a helpful consumer education tool.
Similarly, companies could commit in simple terms to honoring any do not track
preference stated by a consumer and insuring that all advertisers on their site do
the same. Do not track should be understood to mean no tracking or storage of
information at all, not simply a ban on behaviorally targeted ads. Such a mechanism would also give consumers incentive to learn about their rights.
Ultimately both of these tools are limited compared to the real explosion of consumer education and understanding that could be created if consumers were actually given enforceable control over their information through a legislative mandate.
Question 2. Mr. Calabrese, I appreciate your comments regarding the invasion of
privacy currently occurring on the Internet. Besides your recommendation for a Do
Not Track method for browsers what else could we do to improve the experience
of Internet users?
Answer. The best way to improve the experience of Internet users is to increase
their trust in the system. As Internet use is increasing so is consumer awareness
and fear of expanding information collection. Many new web applications use and
share a great deal of personal information. Social networking sites, location based
services, online retail services, and a variety of other sites all rely on a willingness
of consumers to share personal information. These websites and applications can
only reach their full potential if consumers can share this information secure in the
knowledge that they retain control over it.
There is evidence that these fears are affecting consumers. According the Federal
Communications Commissions National Broadband Plan, 22 percent of people dont
use the Internet because of discomfort with computers and concern about all the
bad things that can happen if [they] use the Internet. According to Gallup polling
conducted for USA Today, 61 percent of consumers opposed web tracking even if
they kept costs down and allowed consumers to visit websites for free.
Efforts to protect consumer privacy must be backed by the government, not simply
created by industry. For years, government agencies have called on industry to provide privacy protections for consumers. However, as the FTC report explains in its
recent report on privacy, self-regulatory efforts have been too slow, and up to now
have failed to provide adequate and meaningful protection. Though industry has
taken some steps, there is still no widespread adoption of provisions allowing consumer control and only a limited legally enforceable basis for relying on them.
Question 2a. Are there different recommendations for those websites targeting
children?
Answer. We believe Congress should work toward providing a high level of protection to everyones privacy onlineadult and child alike. Strong protections that
allow consumer control over sharing of personal information would benefit both children and adults. Within this framework, it might be necessary to provide heightened protection for children. For example, many advocates have called for special
protections for sensitive information such as information related to a persons financial accounts, medical records or sexual orientation. Information on children could
be placed in that category as well to assure that it receives the highest level of protection possible.
Question 2b. What about applications on phones?
Answer. Internet use on mobile phones raises two additional issueslocation
tracking and device identification. Mobile devices constantly record and track an individuals physical movements and the devices themselves often contain unique
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00101
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
98
identifying numbers that cannot be easily changed. This allows more robust and
persistent tracking both in the physical and Internet space. This information can
be gathered both by cell phone providers and applications running on those phones.
As of December 2009, more than 90 percent of the overall population of the
United States subscribed to cell phone servicean estimated 285.6 million people.
While cell phones are best known as devices used to make voice calls and send text
messages, they are also capable of being used as tracking devices. As a result, cell
phone technology has given many parties including the government, marketers, and
employers an unprecedented new surveillance tool. The technical capacity now exists to track any one of the Nations hundreds of millions of cell phone owners, for
24 hours a day, for as long as it likes. Whether it is a visit to a therapist or liquor
store, church or gun range, many individuals locations will be available either in
real time or months later. Because of the sensitivity and invasiveness of location
records, many advocates, including the ACLU argue for high standards for access
to this information including a warrant based on probable cause for law enforcement
access.
An example of the pervasiveness of this location tracking was recently described
by the New York Times. According to the article a German lawmaker, Malte Spitz,
gained access from his cell phone provider to all the location information associated
with him (such access is required under German law). Using that information he
was able to map his movements for 6 months. In another example, New York City
attempted to fire an employee using cell phone records as evidence he was leaving
work early.
Consumers are concerned about this intrusion. In a recent poll, 49 percent of respondents said they would be more comfortable with location-based services if they
could more easily and clearly manage who sees their location information; 84 percent were concerned about the sharing of their location data without their consent;
84 percent were concerned about identity or data theft; and 83 percent were concerned about loss of privacy.
COMMENTS
ON
THE STATE
OF
ONLINE PRIVACY, March 16, 2011
Adam Thierer, Senior Research Fellow, U.S. Senate, Committee on Commerce, Science, and Transportation
Published by the Mercatus Center, George Mason University and also available at http://mercatus.org/sites/
default/files/publication/comments-senate-hearing-state-online-privacy.pdf.
As the Commerce Committee continues its exploration of online privacy issues, it

is important that it ask some hard questions about the wisdom of imposing a comprehensive new regulatory regime on the Internet, which the Obama Administration
appears to now favor. The Federal Trade Commission (FTC) 1 and Department of
Commerce (DoC) 2 both released new privacy frameworks late last year and seem
determined to move America toward a more European-ized conception of privacy
regulation.3
Here are a few questions that should be put to the FTC and DoC officials, or those
who support the direction they are taking us:
Before implying that we are experiencing market failure, why hasnt either
the FTC or DoC conducted a thorough review of online privacy policies to evaluate how well organizational actions match up with promises made in those policies?
To the extent any sort of internal cost-benefit analysis was done internally before the release of these reports, has an effort been made to quantify the potential size of the hidden privacy tax that new regulations like Do Not Track
could impose on the market?
Has the impact of new regulations on small competitors or new entrants in the
field been considered? Has any attempt been made to quantify how much less
entry/innovation would occur as a result of such regulation?
1 Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change (December 2010), http://www.ftc.gov/os/2010/12/101201privacyreport.pdf.
2 U.S. Department of Commerce, Commercial Data Privacy and Innovation in the Internet
Economy: A Dynamic Policy Framework, U.S. Department of Commerce Internet Policy Task
Force (December 2010).
3 Adam Thierer, Obama Admins Lets-Be-Europe Approach to Privacy Will Undermine U.S.
Competitiveness, Technology Liberation Front, January 5, 2011, http://techliberation.com/
2011/01/05/obama-admins-lets-beeurope-approach-to-privacy-will-undermine-u-s-competitiveness/.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00102
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
99
Were any economists from the FTCs Economics Bureau consulted before the
new framework was released? Did the DoC consult any economists?
Why do FTC and DoC officials believe that citing unscientific public opinions
polls from regulatory advocacy organizations serves as a surrogate for serious
cost-benefit analysis or an investigation into how well privacy policies actual
work in the marketplace?
If they refuse to conduct more comprehensive internal research, have the agencies considered contracting with external economists to build a body of research
looking into these issues (as the Federal Communications Commission did in a
decade ago in its media ownership proceeding)?
Has either agency attempted to determine consumers willingness to pay for
increased privacy regulation?
Has either agency explored the potential free speech issues that are at stake
here since increased privacy regulation could potentially infringe legitimate
First Amendment rights?
More generally, where is the harm 4 and arent there plenty of voluntary privacy-enhancing tools out there that privacy-sensitive users can tap to shield
their digital footsteps, if they feel so inclined?
These are just some of the many of these questions explored in my recent filing
to the Federal Trade Commission in its proceeding on Protecting Consumer Privacy
in an Era of Rapid Change.5 Because of the unique focus on the so-called Do Not
Track mechanism as a potential silver-bullet solution to online privacy concerns,
I am attaching the portion of my filing discussing the potential costs of such a mandated solution.
How a Mandatory Do Not Track Regime Creates Potential Risks to
Consumers, Culture, Competition, and Global Competitiveness
More tailored forms of online advertising and the tracking technologies which
make them possible are coming under increasing scrutiny today. Some of this can
be attributed to a general unfamiliarity with how online advertising works and the
role personal information and data collection play in the process.6 Although, as
noted above, no clear case of harm has been established, some privacy fundamentalists who oppose virtually any form data collection have elevated this concern to near
techno-panic levels and are now demanding regulation.7 As noted below, a variety
of toolssuch as, browser cookie controls or third-party plug-insalready exist that
can help consumers block targeted ads or limit data collection. But the Commission,
likely inspired by regulatory advocates claims of the complexity of those voluntary
systems, is now pushing for additional steps to simplify or speed up the process.
Hence, a Do Not Track mechanism has become the preferred universal fix, and
one that the Commission is now pushing upon the marketplace. Do Not Track would
demand that websites honor a machine-readable header indicating that the user did
not want to be tracked. In theory, this will allow privacy-sensitive web surfers to
signal to websites that they would like to opt-out of any targeted advertising or not
4 Berin Szoka and Adam Thierer, Targeted Online Advertising: Whats the Harm & Where
Are We Heading? Progress on Point 16.2, (Washington, D.C.: The Progress & Freedom Foundation, February 13, 2009), http://www.pff.org/issues-pubs/pops/2009/pop16.2targetonlinead.pdf.
5 Adam Thierer, Public Interest Comment on Protecting Consumer Privacy in an Era of Rapid
Change86 (Arlington, VA: Mercatus Center at George Mason University), February 18, 2011,
http://mercatus.org/publication/public-interest-comment-protecting-consumer-privacy-era-rapidchange. Also see, see Adam Thierer, Unappreciated Benefits of Advertising and Commercial
Speech, Mercatus on Policy 86 (Arlington, VA: Mercatus Center at George Mason University),
January 2011, http://mercatus.org/publication/unappreciatedbenefits-advertising-and-commercial-speech.
6 Exaggerated fears are particular common regarding new technologies.. Kent Walker, The
Costs of Privacy, 25 Harvard Journal of Law & Public Policy, no 87, (Fall 2001), 126. A recent
report by the U.K. government noted that New media are often met by public concern about
their impact on society and anxiety and polarisation of the debate can lead to emotive calls for
action. Safer Children in a Digital World, Byron Review on Children and New Technology, Department for Children, Schools and Families, [U.K.] task force report, March 2008, 3, http://
www.dfes.gov.uk/byronreview/pdfs/Final%20Report%20Bookmarked.pdf.
7 The privacy problem has morphed . . . into the latest terror of the digital ago, surpassing
earlier shibboleths, argues Larry Downes. . . . Larry Downes, A Market Approach to Privacy
Policy, in Berin Szoka and Adam Marcus, eds., The Next Digital Decade: Essays on the Future
of the Internet (Washington, D.C.: TechFreedom, 2011), 510. Also see generally Adam Thierer,
Parents, Kids & Policymakers in the Digital Age: Safeguarding Against Techno-Panics, Inside
ALEC, July 2009, 1617, http://www.alec.org/am/pdf/InsidelJuly09.pdf.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00103
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
100
have any information about them collected when visiting sites. The potential costs
of such a regime will be explored in this section.
1. Potential Direct Cost to Consumers
The Commission poses a variety of questions regarding how a Do Not Track regime may be implemented and what its potential impact might be.8 How many consumers would opt-out? How many would be willing to pay site subscriptions? How
would it impact online publishers and advertisers? And so on. The truth is, nobody
knows the answers to these questions, and the Commission has made no attempt
to conduct a serious cost-benefit analysis of such a regime. Importantly, opinion
polls cannot predict with accuracy how things will turn out once such a regime
takes effect because consumer and marketplace reactions to real-world developments are more complex and nuanced than artificial surveys or experiments.9
What we do know is that online advertising today allows consumers to enjoy a
veritable cornucopia of innovative, and mostly free, sites and services. Government
regulation could break the implicit online quid pro quo currently governing online
sites and servicesthat consumers enjoy a bevy of free content and services in exchange for tolerating ads and data collectionby creating what appears to be a costfree choice option for consumers. That choice, however, will be anything but costless.
Lauren Weinstein, co-founder of People For Internet Responsibility (PFIR), worries that the ability [of Do Not Track concepts] to cause major collateral damage
to the Internet ecosystem of free Web services is being unwisely ignored or minimized by many Do Not Track proponents. 10 Weinstein is correct. There is no free
lunch. While well-intentioned, government regulation that attempts to create a costfree opt-out for data collection and targeted online advertising will likely have damaging unintended consequences. In terms of direct costs to consumers, Do Not Track
could result in higher prices for service as paywalls go up or, at a minimum, advertising will become less relevant to consumers and, therefore, more intrusive in
other ways.
Why might less relevant advertising represent a cost to consumers? It comes down
to the value of their time and the benefits of relevant advertising to them. Ben
Kunz, director of strategic planning at Mediassociates, a media planning and Internet strategy firm, argues that Do Not Track wont stop online ads but will instead
simply lead to tons of banners and videos everywhere online. Theyll simply be less
relevant. 11 The Wall Street Journal agrees, noting: While many supporters of Do
Not Track imagine that the opt-out would reduce the ads they see, the opposite
would more likely occur, causing advertisers to blanket more media and use more
intrusive techniques to reach the same number of potential customers. 12 When
Google recently announced it would be offering a Keep My Opt-Outs extension to
its Chrome web browser to come into line with the FTCs desire for more Do Not
Track mechanisms, the company also noted that once you install the Keep My OptOuts extension, your experience of online ads may change: You may see the same
ads repeatedly on particular websites, or see ads that are less relevant to you. 13
Thus, Do Not Track will stop marketers from serving up ads for products you may
actually want, Kunz notes.14 This represents a direct cost to consumers in terms
of the hassle of unwanted, intrusive (or spammy) advertising.
But it is the potential for prices to rise for online content and services that is the
most important direct cost to consumers. If paywalls go up and subscriptions are
required as a result of the new Do Not Track regime, Corey Kronengold of Digiday
suggests the response of users could take one of two forms: 15
8 Federal
Trade Commission, Protecting Consumer Privacy, A4.

e.g., Berin Szoka, Privacy Polls v. Real-World Trade-Offs, 5 Progress Snapshot 10
(Washington, D.C.: The Progress & Freedom Foundation, October 8, 2009), http://www.pff.org/
issues-pubs/ps/2009/ps5.10-privacy-pollstradeoffs.html; Downes, A Market Approach to Privacy Policy, 514.
10 Lauren Weinstein, Risks in Mozillas Proposed Firefox Do Not Track Header Thingy,
Lauren Weinstein blog, January 24, 2010, http://lauren.vortex.com/archive/000803.html.
11 Ben Kunz, The $8 Billion Do Not Track Prize, Bloomberg Businessweek, December 22,
2010, http://www.businessweek.com/technology/content/dec2010/tc20101222l392883.htm.
12 The Internet Browsing Cops, January 21, 2011, http://online.wsj.com/article/SB1000
1424052748704723104576061900000013690.html.
13 Sean Harvey and Rajas Moonka, Keeping Your Opt-Outs, Google Public Policy Blog, January 24, 2010, http://googlepublicpolicy.blogspot.com/2011/01/keep-your-opt-outs.html.
14 Kunz, The $8 Billion Do Not Track Prize.
15 Corey Kronengold, Taking Issue: The Value of Privacy, Digiday, December 16, 2010,
http://www.digidaydaily.com/stories/taking-issue-the-value-of-privacy.
9 See,
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00104
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
101
1. Users (especially those who are highly privacy sensitive) might gladly accept
the trade-off and pay something more for those sites and services instead of
having data collected or ads served; or,
2. Users might revolt against the resulting paywalls, subscriptions, micropayment schemes, tiered services, etc, and demand government intervention in the
name of fairness. We might even hear talk of gouging and calls for price regulation, even though developers would have no choice but to raise prices to
cover costs in the absence of advertising support.
Some mix of the two could be the end result, but the latter scenario seems far
more likely. If we move too far one way, the people supplying the free content will
get together and say we arent going to supply the content for free, says Dilip
DaSilva, chief executive of Exponential Interactive, owner of the Tribal Fusion online advertising network. Its not like the publishers will offer free content to people
who visit their site but dont want ads tracking them. 16
Of course, there is nothing wrong with online sites and service providers charging
for what they offer consumers, but, as Kronegold suggests, if regulation moves the
marketplace in that direction unnaturally, many consumers will likely have a problem with it since they have grown accustomed to an abundance of free online services. It is impossible to determine what prices online providers might seek to charge
for their services, but anything more than the $0.00 they currently charge will likely
come as a shock to many consumers. As discussed in the following section, it will
also have profound repercussions on the broader availability of much content and
many of the services consumers take for granted. In this sense, Do Not Track becomes a privacy tax on consumers, requiring them to pay for things they previous
received inexpensively, or for free.17
There are other costs associated with the process of creating paywalls and setting
prices that will be borne by online content providers and consumers, as Commissioner William Kovacic noted in his statement on the Commissions privacy report:
Setting prices is costly; if willingness to pay to avoid tracking varies substantially, the informational requirements to set access prices will be large. For a
number of content providers, a price-for-content model is likely to provide less
revenue than monetization via advertising; that most websites choose an addriven model rather than a direct fee model suggests that the former is a more
efficient means than the latter to monetize content in most circumstances. At
the marginwhich may be largeforcing firms away from their revealed-preferred method of monetization may reduce revenue and hence degrade quality.
In discussing whether website content might be degraded by consumers choosing not to be tracked, how, if at all, should such risks impact the Commissions
analysis? 18
How much content will go behind paywalls? Dan Castro of the Information Technology & Innovation Foundation fears much will:
If a Do Not Track list ever became widely implemented companies could respond by simply blocking access to those sites for users who opt out, just as
some sites today block users who use ad-blocking software or do not register on
a site. Users who currently opt out of targeted advertising but continue to use
the content or service which the advertising pays for are essentially free riders.
They are the minority of users who are benefiting from the willingness of the
majority to divulge some personal information in exchange for free or reducedprice content. It is this exchange that enables the U.S. Internet ecosystem to
be so robust and largely free of charge to the average user. Privacy advocates
rarely acknowledge the harm to advertising revenues that would result from a
large number of consumers signing up for Do Not Track.19
Another alternative short of paywalls would be interstitial pop-ups warning consumers they must first disable Do Not Track before they are allowed to use portions
16 Quoted in Tanzina Vega and Verne Kopytoff, In Online Privacy Plan.
17 We might better think of a privacy taxwe pay the regular price unless we want to keep
information about our food, alcohol, and pharmaceutical purchases from the market; to keep our
habits to ourselves, we pay extra. Hal Abelson, Ken Ledeen, and Harry Lewis, Blown to Bits:
Your Life, Liberty, and Happiness After the Digital Explosion (Upper Saddle River, NJ: AddisonWesley, 2008), 11.
18 Concurring Statement of Commissioner Kovacic, in Federal Trade Commission, Protecting
Consumer Privacy, D4.
19 Daniel Castro, Policymakers Should Opt Out of Do Not Track, Information Technology
& Innovation Foundation, November 2010, 3, www.itif.org/files/2010-do-not-track.pdf.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00105
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
102
of the site, or perhaps any of it.20 In other words, sites may seek to formalize the
previously unwritten quid pro quo of information as currency. Some Do Not Track
regulatory advocates try to assuage such concerns by pointing to the existence of
widespread online website registration or site login procedures today, which do not
generally require user to disable settings (such as cookie-blocking or ad-blocking) or
pay anything before using site content/services. For example, Arvind Narayanan of
Stanford University argues:
I do not believe that disabling DNT as a requirement for service will become
anywhere near as prevalent as logging in as a requirement for service. I bring
up login only to make the comforting observation there seems to be a healthy
equilibrium between sites that require login always, some of the time, or
never.21
Ultimately, however, this observation provides little comfort since it ignores the
fact that Do Not Track could be preemptively breaking business models on an unprecedented scale, thus forcing vast numbers of online publishers to make uncomfortable trade-offs going forward if they wish to provide the current level of service
or expanded options. Narayanan may end up being correct and a highly tiered, permission-based Internet may not be erected. But, as the next section notes, that is
a risky bet and one that could have profound consequences for the future online content and the richness of its culture.
2. Potential Indirect Costs/Impact on Content & Culture
Direct monetary cost to consumers is not the only issue here. The indirect impact
of regulation on content and culture must also be considered.
While targeted online advertising only accounted for $1.1 billion in 2010, it has
been growing at healthy 20 percent clip, estimates eMarketer.22 Factor in the use
of data to determine marketing efficiencies and that figure could be as high as $7
billion to $8 billion of the $25 billion online ad spend, says Katy Bachman of
AdWeek.23 Larry Ponemon, Chairman of the Ponemon Institute, which studies privacy and security issues, told the New York Times that Privacy fears are definitely
having an economic impact on the market, especially the uncertain legal and regulatory environment and the threat of regulation.24 A May 2010 Ponemon Institute
survey of senior marketing executives with 90 diverse organizations that were actively engaged in online marketing found that:
63 percent of those we surveyed said behavioral advertising generated their
greatest return on investment. Yet 98 percent told us that, because of consumers
privacy fears, their companies are curtailing investments in online behavioral
targeting. These companies are willing to sacrifice the revenue they believe they
can generate through an online campaign rather than risk the potential hit to
brand reputation for being as aggressive as they would like to be. Overall that
curtailment has kept more than $600 million out of the behavioral targeting industry.25
This matters because it represents foregone investment in new forms of content,
culture, and services. Media economists and industry experts have long realized that
advertising is the great sustainer of media.26 Advertising benefits society by subsidizing the creation of news, information, and entertainment. Advertisers are critical to the success of commercial media because they provide the primary revenue
stream that keeps most of them viable, argues Robert G. Picard, author of The Eco20 Ironically, depending on how such permission systems are structured, this may actually end
up forcing consumers to reveal more information about themselves to many sites as a condition
of access content or services on those sites.
21 Arvind Narayanan, Do Not Track Explained, 33 Bits of Entropy, September 30, 2010,
http://33bits.org/2010/09/20/do-not-track-explained.
22 David Hallerman, Audience Ad Targeting: Data and Privacy Issues, eMarketer, February
2010, http://www.emarketer.com/Reports/All/Emarketerl2000636.aspx.
23 Katy Bachman, (Ad) Apocalypse Soon, AdWeek, December 19, 2010, http://www.ad
week.com/aw/contentldisplay/esearch/e3i9f75082f2f627711694ca34d9b326105.
24 Quoted in Steve Lohr, Privacy Concerns Limit Online Ads, Study Says, New York Times,
April 30, 2010, http://bits.blogs.nytimes.com/2010/04/30/privacy-concerns-limit-online-adsstudy-says.
25 Larry Ponemon, Fear and Loathing in Online Advertising, Ponemon Institute blog, May
3, 2010, http://www.ponemon.org/blog/post/fear-and-loathing-in-online-advertising.
26 For a summary, see Adam Thierer, Unappreciated Benefits of Advertising and Commercial
Speech, Mercatus on Point 86 (Arlington, VA: Mercatus Center at George Mason University),
January 2011, http://mercatus.org/publication/unappreciated-benefits-advertising-and-commercial-speech.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00106
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
103
nomics and Financing of Media Companies.27 Mary Alice Shaver of the University
of Central Florida puts this support in context: Advertising revenues pay for virtually all broadcast media, 70 percent to 80 percent of support for newspapers and
an equally high percentage for magazines. 28
Importantly, advertising is proving increasingly to be the only business model
with any real staying power for many media and information-producing sectors.
Pay-per-view mechanisms, micropayments, and even subscription-based business
models are all languishing.29 Consequently, the overall health of modern media
marketplace and the digital economyand the aggregate amount of information and
speech that can be produced or supported by those sectorsis fundamentally tied
up with the question of whether policymakers allow the advertising marketplace to
evolve in an efficient, dynamic fashion.30 In this sense, it is not hyperbole to say
that an attack on advertising is tantamount to an attack on media itself.31
A March 2010 study on The Value of Behavioral Targeting, conducted by Howard Beales on behalf of the Network Advertising Initiative, demonstrates how this
could be the case.32 Beales, the former Director of the Bureau of Consumer Protection at the FTC, found that advertising rates are significantly higher for behaviorally targeted ads, with the average return on behaviorally targeted advertising
being just over twice that of other advertising. The reason that greater return on
investment is important, Beales notes, is because:
Advertising using behavioral targeting is more successful than standard run of
network advertising, creating greater utility for consumers from more relevant
advertisements and clear appeal for advertisers from increased ad conversion.
Finally, a majority of network advertising revenue is spent acquiring inventory
from publishers, making behavioral targeting an important source of revenue
for online content and services providers as well as third party ad networks.33
This illustrates how more effective advertising can cross-subsidize and sustain online content and culture. More and better advertising means more and better content and services will be made available to consumers. Beales concluded his study
by noting: Increasingly, advertising is the financing mechanism that makes online
content and services possible as well. As content traditionally provided offline (such
as newspapers) continues to move to the Internet, the link between online advertising and content is likely to become increasingly vital to the provision of information and services that we have long taken for granted. 34
With these insights in mind, it is peculiar that the Commission ignores the connection between this proceeding and another FTC proceeding which poses the question, How Will Journalism Survive the Internet Age? 35 That is a fair question for
the FTC to ask, and one that the Federal Communications Commission has also
27 Robert G. Picard, The Economics and Financing of Media Companies (Bronx, NY: Fordham
University Press, 2002), 122.
28 Mary Alice Shaver, The Economics of the Advertising Industry, in Alison Alexander, et.
al., Media Economics: Theory and Practice (Mahwah, NJ: Lawrence Erlbaum Associates, Third
Edition, 2004), 250.
29 To some extent, these are all just variations of a fee-for-service business model. Micropayments, for example, would require a small payment for each media unit accessed or
downloaded, such as $1 per news article or song.
30 Much of the valuable information content available on the Internet, and so many of the useful services we use every day, is free, explains Larry Downes, not because of some utopian
dream of inventors or even because of the remarkably low transactions costs of the digital economy. The content is free because the costs of the servicesblogs, stock quotes, even home movies posted on YouTubeare underwritten by advertisers. If we dont read and respond to ads,
well have to pay for these services some other way, he notes. Downes, The Laws of Disruption,
834.
31 See Adam Thierer, Berin Szoka, and W. Kenneth Ferree, Comments of the Progress & Freedom Foundation in the Matter of the Federal Communications Commissions Examination of the
Future of Media and Information Needs of Communities In a Digital Age, The Progress & Freedom Foundation, May 5, 2010, 2838, http://www.pff.org/issues-pubs/testimony/2010/2010-0505-CommentslinlFCClFutureloflMedialproceeding.pdf.
32 Howard Beales, The Value of Behavioral Targeting, Network Advertising Initiative, March
2010, www.networkadvertising.org/pdfs/BealeslNAIlStudy.pdf.
33 Ibid., 1.
34 Ibid., 18.
35 Federal Trade Commission, How Will Journalism Survive the Internet Age? Workshop Series, 2010, http://www.ftc.gov/opp/workshops/news/index.shtml. All filing made to the Commission in the proceeding are located here: http://www.ftc.gov/os/comments/newsmedia
workshop/index.shtm.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00107
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
104
been pondering in a series of workshops on The Future of Media. 36 What the
Commission proposes in this proceeding certainly will not help matters any and it
begs the question: If not advertising, then what will sustain online media, digital
age culture, and social networking services going forward? 37
John Battelle is blunter in his assessment of how damaging this move could be
to online culture:
dont come crying to me when you realize that in opting out of our marketingdriven world, youve also opted out of, well, a pretty important part of our ongoing cultural conversation, one that, to my mind, is getting more authentic and
transparent thanks to digital platforms. And, to my mind, youve also opted out
of being a thinking person capable of filtering this stuff on your own, using that
big ol bean which God, or whoever you believe in, gave you in the first place.
Life is a conversation, and part of it is commercial. We need to buy stuff, folks.
And we need to sell stuff too.38
This is a simplified explanation of the value exchange that drives the Internet,
but Battelle is correct that if heavy-handed regulation replaces common sense or the
current online quid pro quo of information-forservices, then something must give.
While the idea of a cost-free opt-out model for the all online data collection/advertising may sound seductive to some, it is vital to take into account the opportunity
costs of such regulation. The real world is full of trade-offs and there is no such
thing as a free lunch.
3. Competition & Market Structure
The Commission does not need to be reminded that it was created in large part
to safeguard competition. This proceeding, however, threatens to tip the balance in
favor of existing technologies or market players over future ones.39 AdWeeks Katy
Bachman argues that:
Heavy-handed privacy legislation could actually curb competition by crippling
ad networks that serve ads to niche Websites dependent on advertising to fund
content. Websites would have to resort to pay models in a medium where free
content is the norm. No doubt the big brands would still draw contextual advertising, but that would come at the expense of new, emerging brands, thus
squelching competition in a space that has thrived on it.40
Similarly, Tanzina Vega and Verne Kopytoff of The New York Times have noted
that:
The Federal Trade Commissions proposed privacy mechanism could cause a
major shift in the online advertising industry, as companies that have relied on
consumers browsing history try to make up for what could be billions in lost
revenue.
If the vast majority of online users chose not to have their Internet activity
tracked, the proposed do not track system could have a severe effect on the
industry, some experts say. It would cause major harm to the companies like
online advertising networks, small and midsize publishers and technology companies like Yahoo that earn a large percentage of their revenue from advertising that is tailored to users based on the sites they have visited.
Under a situation where many users opt out of being tracked, other companies,
like Google, may take a much smaller hit because the vast majority of its revenue comes through search ads that would not be affected by a do-not-track
mechanism. Microsoft, which also sells display advertising through its ad net36 Federal Communications Commission, Future of Media, http://reboot.fcc.gov/future
ofmedia.
37 Castro goes even further, arguing that If the goal of the initiative is to restrict targeted
advertising, it would be better for Congress to just ban Internet advertising outright and develop a Corporation for Public Internet to fund Internet content and applications. Castro, Policymakers Should Opt Out of Do Not Track, 4.
38 John Battelle, Thurs. Signal: Go On, Opt Out. Just Dont Come Cryin To Me . . . Federated Media Publishing, December 1, 2010, http://www.federatedmedia.net/blog/2010/12/
thurs-signal-go-on-opt-out-just-dont-come-cryinto-me.
39 Regulation that disfavors one technology or business model would also deter entry, thwart
innovation, and limit competition and choice in the sale of online advertising. Joan Gillman,
Testimony before the House Energy & Commerce Committee, Hearing on Do Not Track Legislation: Is Now the Right Time? December 2, 2010, 5, http://energycommerce.house.gov/hearings/
Testimony.aspx?TID=4184.
40 Katy Bachman, (Ad) Apocalypse Soon, AdWeek, December 19, 2010, http://www.ad
week.com/aw/contentldisplay/esearch/e3i9f75082f2f627711694ca34d9b326105.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00108
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
105
work, could also survive a hit to user data collection since it earns revenue from
sources other than advertising, including software and gaming, experts say.41
In a setting where first-party advertising is allowable but third-party marketing
is not, substantial advantages may be created for large incumbent firms, argue Avi
Goldfarb and Catherine Tucker.42 For example, if a large website or online service
were able to use its data to market and target advertising, it will be able to continue
to improve and hone its advertising, while new entrants will find it difficult to challenge the incumbents predominance by compiling other data or collecting their own
data, they conclude.43
And Kunz fears that the Long Tail of niche content is going to get crushed
since thousands of small websites may disappear as dollars flow to consolidated
publishing centers. Do Not Track will send billions of dollars to the big online publishers, hurting the little sites you might find most interesting. The second point
is painful. It could really harm you, too, dear consumer, if you read things online
other than The New York Times, Bloomberg, or iVillage.com. 44 This should hardly
be surprising since economists have long recognized that advertising typically benefits new entrants and small firms more than it does large, established firms, 45 and
that is likely to be the case for targeted online advertising since it would be the
easiest way for niche sites to find interested consumers and advertisers.
Thus, the risk exists that a Do Not Track mandate could steer markets in unnatural, inefficient directions by erecting new barriers to entry or directly picking technological winners and losers.46 If so, the Commission will have failed in its mission
to safeguard competition and improve consumer welfare.
4. International Competitiveness
Some advocates of intervention on this front do not hide their desire to move the
United States in a direction the European Union has followed with data directives
and more stringent forms of privacy regulation. But Americas refusal thus far to
walk down that more regulatory path offers scholars the chance to evaluate Europes more-restrictive approach and study whether Americas lead in the global digital marketplace might be tied to its more hands-off approach to online regulation.
A recent study by Goldfarb and Tucker found that after the [European Unions]
Privacy Directive was passed [in 2002], advertising effectiveness decreased on average by around 65 percent in Europe relative to the rest of the world. 47 They argue
that because regulation decreases ad effectiveness, this may change the number
and types of businesses sustained by the advertising-supporting Internet. Regulation of advertising and data collection for privacy purposes, it seems, can affect the
global competitiveness of online firms.
This is what makes talk of harmonization among privacy regimes so dangerous.
It threatens to undermine Americas competitive advantage in the global digital
arena. It is hard to find many European counterparts that rival Google, Amazon,
Apple, Facebook, eBay, Microsoft, or other market leaders. Why is it that the information technology sector has thrived in America and that U.S. companies are leaders in many of their respective sectors across the globe? Might it be precisely because the U.S. did not follow others down the path of data directives and heavy
41 Tanzina Vega and Verne Kopytoff, In Online Privacy Plan, the Opt-Out Question Looms,
New York Times, December 5, 2010, http://www.nytimes.com/2010/12/06/business/media/
06privacy.html.
42 Avi Goldfarb and Catherine Tucker, Comments on Information Privacy and Innovation in
the Internet Economy, Comments to the U.S. Department of Commerce, January 24, 2011, 4,
http://www.ntia.doc.gov/comments/101214614-0614-01/attachments/NTIAlcommentsl2011
l01l24.pdf.
43 Ibid.
44 Kunz, The $8 Billion Do Not Track Prize.
45 Thomas M. Lenard and Paul H. Rubin, Privacy and the Commercial Use of Personal Information (Washington, D.C.: The Progress & Freedom Foundation, 2002), xxii.
46 As the National Cable and Telecommunications Association (NCTA) noted in comments to
the Department of Commerce: In a nascent and highly dynamic market characterized by rapid
technological change such as online advertising, any regulation that favors or disfavors one technology or business model over another could seriously thwart innovation and the development
of new business models that could benefit consumers, content providers, and advertisers, by prematurely locking market participants into one sanctioned approach. Moreover, limiting online
advertising to specified designated permissible techniques would deter new entry, and limit competition. National Cable and Telecommunications Association, Reply Comments to the U.S. Department of Commerce, January 28, 2011, 1011. http://www.ntia.doc.gov/comments/10121
4614061401/comment.cfm?e=17AF54FD-5201-474A-8EB8-E8B6071AEDEC.
47 Avi Goldfarb and Catherine Tucker, Privacy Regulation and Online Advertising, 57 Management Science 1, (January 2011), 5771, http://papers.ssrn.com/sol3/papers.cfm?abstractl
id=1600259.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00109
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
106
handed, top-down regulation of the Internet more generally? If applied to American
companies, these European laws would restrict the breakneck innovation of the
commercial web, argues the NetChoice Coalition.48 And Yahoo! correctly summarizes:
It is no coincidence that the U.S. is the birthplace of most of the widely used
global websites and online services. Our legal frameworks encourage innovation
through reasonable liability regimes, controls on harmful uses of information,
promotion of a diversity of online voices, security requirements based on the
sensitivity of the data, and a light regulatory hand that favors and recognizes
complementary roles for industry self-regulation.49
The Department of Commerces recent privacy green paper says America should
look to prevent conflicting policy regimes from serving as a trade barrier. 50 But
should the U.S. impose burdensome new regulations on American companies to
achieve that goal? Would we really be better off if all U.S. firms and policy more
closely resembled the E.U. in this regard?
Some privacy advocates posit the need for greater interoperability or harmonization of privacy policies internationally to facilitate smoother online commercial
interactions or data flows. Yet, the Commerce Departments recent privacy green
paper notes that a considerable amount of global commerce takes place on the
Internet [and] global online transactions currently total an estimated $10 trillion
annually and is growing. Still, it continues on to claim that the lack of cross-border interoperability in privacy principles and regulations creates barriers to crossborder data flow and significant compliance costs for companies, 51 and repeats the
argument for harmonization.
There are three problems with that theory. First, it assumes that the benefits of
regulatory harmonizationwhich, to be perfectly clear, would arrive in the form of
increased regulation on U.S. operatorswould outweigh the cost of complying with
those new rules.
Second, there is no reason that harmonization could not work in the opposite direction. If the Commerce Department, the FTC and other U.S. lawmakers want to
promote U.S. trade, exports, commerce, and global competitiveness, the proper way
to leveling the playing field in this context should be the same as it is in relation
to speech policy or trade law: the rest of the world should follow Americas lead; the
U.S. should absolutely not regulate up to achieve parity with theirs.
Which raises a final problem with the argument for harmonization of privacy regimes through increased regulation on U.S. businesses: it sets a horrible precedent.
At least thus far this has not been the approach the U.S. Government has taken
in most other Internet policy contexts, and with good reason. Consider this in the
context of speech controls. When policymakers in Europe and other regions or countries stifle free speech and expression online, Americas response has not been to
mimic them but, rather, to lead by example. That is, when confronted with conflicting regulatory regimes abroad, our response has usually been to proudly boast
to the world that we have the more sensible approach to Internet regulation, which
is to say, it should be tightly limited so as not to stifle speech or commerce. Some
critics might label this American exceptionalism, but it is really just common
sense if we hope to promote the international competitiveness of U.S. online businesses and remain a global leader in this arena.
5. Silver-Bullet Solutions Rarely Adapt or Scale Well
Finally, there is the more general normative problem of the Commission seeking
a simple solution to a complex problem such as online privacy protection. Do Not
Track fits into a long line of proposed silver-bullet solutions that would mandate a
universal solution to a complicated economic or social issue.
When it comes to such information control efforts, there arent many good examples of simple fixes or silver-bullet solutions that have worked, at least not very
long. Consider the illusive search for a solution to online pornography. The PICS/
ICRA experience is instructive in this regard. PICS and ICRA refer to the W3Cs
Platform for Internet Content Selection 52 and Internet Content Rating Associa48 Steve DelBianco and Braden Cox, NetChoice Reply Comments on Department of Commerce
Green Paper, January 28, 2011, 7, http://www.ntia.doc.gov/comments/101214614-0614-01/
comment.cfm?e=1EA9854223A4-4822-BECD-143CD23BB5E9.
49 Anne Toth, Comment of Yahoo! on Commercial Data Privacy and Innovation in the Internet
Economy, January 28, 2011, 2, http://www.ntia.doc.gov/comments/101214614-0614-01/comment.cfm?e=F6A50C0B-00CC-44A6-B475-FE218170CA02.
50 Department of Commerce, Commercial Data Privacy and Innovation, 20.
51 Ibid.
52 http://www.w3.org/PICS.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00110
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
107
tion.53 For a time, there was hope that voluntary metadata tagging and content labeling could be used to screen objectionable content on the Internet. But the sheer
volume of material to be dealt with made that task almost impossible. The effort
has been abandoned now.54 Of course, it is true that effort did not have a government mandate behind it to encourage more widespread adoption, but even if it
would have, it is hard to believe that all pornography or other objectionable content
would have been labeled and screened properly.
In a similar way, The CANSPAM Act aimed to curtail the flow of unsolicited email across digital systems and, yet, failed to do so. Private filtering efforts have
helped stem the flow to some extent, but have not eliminated the problem altogether. Royal Pingdom estimates that in 2010 89.1 percent of all e-mails were
spam.55 Spam pages, are also a growing concern. In January 2011, Blekko, a new
search engine provider, created a Spam Clock to track new spam pages and found
1 million new spam pages were being created every hour.56
Similar problems await information control efforts in the privacy realm, even if
a mandated Do Not Track mechanism required the re-engineering of web browser
architecture and/or standards. Its a single response to an overly-simplifies set of
choices we encounter on the web, notes the NetChoice Coalition, which represents
e-commerce companies.57 Also, Do Not Track does not address mobile or app data,
nor any data created outside a traditional web browser, notes Michael Fertik, CEO
of Reputation.com.58 At the same time, the growth in technology and understanding can render current solutions inadequate. A privacy rule to limit behavioral
advertising today might not work in the future when more data is available and
there are more powerful algorithms to process it, he says. There is no reliable way
of ensuring this technology is being used, however, says Sidney Hill of Tech News
World. Ensuring compliance with antitracking rules will become even more difficult
as more users turn to mobile devices as their primary means of connecting to the
Web. 59
Importantly, Do Not Track would not slow the arms race in this arena as some
seem to hope or suggest.60 If anything, as noted in more detail below, a Do Not
Track mandate will speed up that arms race and have many other unintended consequences.61 Complex definitional questions also remain unanswered, such as how
define and then limit tracking in various contexts, as well as how to enforce such
a regime. Lauren Weinstein summarizes some of the most obvious issues:
Sending out a new Do Not Track headereven beyond basic associated technical requirements at the client and server endsand even if theres agreement
on how that header is definedtells you nothing about what actually happens
to that header after being sent by the client browser. How does the user who
sends such a header actually confirm that theyre not being tracked as a result? And how do they know that continued tracking isnt caused by a technical
53 http://www.fosi.org/icra.
54 http://www.icra.org.
55 Royal Pingdom, Internet 2010 in Numbers, January 12, 2011, http://royal.pingdom.com/
2011/01/12/internet-2010-in-numbers.
56 http://www.spamclock.com. Also see, Danny Sullivan, Blekko Launches Spam Clock To
Keep Pressure On Google, Search Engine Land, January 7, 2011, http://searchengine
land.com/blekko-launches-spam-clock-tokeep-pressure-on-google-60634.
57 Steve DelBianco and Braden Cox, NetChoice Reply Comments on Department of Commerce
Green Paper, January 28, 2011, 14, http://www.ntia.doc.gov/comments/101214614061401/
comment.cfm?e=1EA98542-23A4-4822-BECD-143CD23BB5E9.
58 Michael Fertik, Comments of Reputation.com, Inc. to the U.S. Department of Commerce,
January 28, 2011, 12, http://www.reputation.com/blog/2011/01/31/reputation-com-commentscommerce-department-privacy-greenpaper.
59 Sidney Hill, Internet Tracking May Not Be Worth the Headaches, Tech News World, December 29, 2010, http://www.technewsworld.com/story/Internet-Tracking-May-Not-Be-Worththe-Headaches-71543.html.
60 Some examples: The header-based Do Not Track system appeals because it calls for an armistice in the arms race of online tracking. Rainey Reitman, Mozilla Leads the Way on Do
Not Track, Deeplinks, Electronic Frontier Foundation, January 24, 2011, https://www.eff.org/
deeplinks/2011/01/mozilla-leads-the-way-on-do-not-track. Similarly, Chris Soghoian argues that
opt out mechanisms . . . [could] finally free us from this cycle of arms races, in which advertising networks innovate around the latest browser privacy control. Christopher Soghoian,
What the U.S. Government Can Do To Encourage Do Not Track, Slight Paranoia, January
27, 2011, http://paranoia.dubfire.net/2011/01/what-us-government-can-do-to-encourage.html.
Finally, Arvind Narayanan of Stanford University argues that Do Not Track, is a way to move
past the arms race between tracking technologies and defense mechanisms, focusing on the actions of the trackers rather than their tools. Arvind Narayanan, Do Not Track Explained,
33 Bits of Entropy, September 30, 2010, http://33bits.org/2010/09/20/do-not-track-explained.
61 Too often, well-intentioned efforts to regulate technology are far worse than the imagined
evils they were intended to prevent. Abelson, Ledeen, and Lewis, Blown to Bits, 159.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00111
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
108
issue that prevented the header from ever being received and processed by the
destination server?
Perhaps the header line was eaten by an intermediate proxy server (its quite
common for proxies not to pass along all headers). Or maybe the header reached
a server that simply hadnt been modified to recognize it yet. Or did the header
reach a server in some jurisdiction (say, outside of the U.S.) that wouldnt even
be required to know about that new header? And so on.
You cant just send a Do Not Track header and expect meaningful results. In
practice, you end up having to build an entire confirmation apparatus of some
sortand even then its likely to be a mess. Without confirmation, you can send
out whatever headers you wish, but when you dont get the results you expect,
what does that mean? Who knows? This all gets very complicated, very quickly.62
Moreover, in light of the global nature of online commerce and speech, Do Not
Track will not scale as well as advocates hope.63 Castro says:
Another problem with Do Not Track is that it does not scale well on the global
Internet. As described above, to be effective, the proposal would require a Federal mandate calling for substantive modifications to networking protocols, web
browsers, software applications and other Internet devices. Besides raising costs
for consumers, it is unclear how effective such a mandate would be outside of
the U.S. borders or how well the proposal would be received by international
standard bodies.64
Again, as noted previously, the regulatory experience with spam, objectionable
content, and copyrighted content suggest serious challenges lie ahead because of the
borderless nature of online activity /commerce.
6. Implications of This New Regime in Other Contexts
A final danger with the FTCs proposed Do Not Track information control regime
is that it could also establish a precedent for other forms of Internet regulation. If,
in the context of privacy policy, opt-in becomes the new default norm or mechanisms such as Do Not Track become the preferred top-down mandate, similar regulatory norms might be expected in other contexts. Why not mandatory opt-in for
other types of speech or content? For example, should the presence of potentially
objectionable content across digital networks be used as an excuse for greater regulation of the Internet?
That is not the way things currently work, of course. At least in the United
States, we demand that personal and parental responsibility be the first and primary line of defense against unwanted communications or content. Why should it
be any different when it comes to privacy concerns? 65
Consider how things work in the context of speech and content regulation, American jurisprudence has become a fairly settled matter: people (or parents) are expected to take responsibility for unwanted information flows in their lives (or the
lives of their children). Under current law, it is assumed that the many user empowerment tools on the market (filters, monitoring software, other parental control
technologies) constitute a so-called less-restrictive means of controlling content
when compared to government regulation.
Many privacy advocatessuch as ACLU, the Center for Democracy & Technology,
and the Electronic Frontier Foundationvociferously endorse this less-restrictive
means test or educate and empower paradigm in the free speech context. Generally speaking, when it comes to speech regulation, they rightly argue household
standards (user-level controls) should trump community standards (government
regulation). And in Court they repeatedly employ the less-restrictive means test
to counter government efforts to regulate information flows.
62 Lauren Weinstein, Risks in Mozillas Proposed Firefox Do Not Track Header Thingy,
Lauren Weinstein blog, January 24, 2010, http://lauren.vortex.com/archive/000803.html.
63 Many behavioral targeting companies are based outside the USmaking legislation ineffective, says Doug Wolfgram, CEO of IntelliProtect, an online privacy management company.
Quoted in Tony Bradley, Why Browser Do Not Track Features Will Not Work,
Computerworld, February 10, 2011, http://news.idg.no/cw/art.cfm?id=ACE91A0E-1A64-6A71CE2572C981C0204A.
64 Castro, Policymakers Should Opt Out of Do Not Track, 3.
65 The Cato Institutes Jim Harper argues: Privacy is not a gift from politicians or an entitlement that can be demanded from government. Privacy is a product of personal responsibility.
Like moral living, privacy is the product of careful consideration and concerted effort by individuals. To be sure, protecting privacy can be hard. It involves knowledge, vigilance, and constant
trade-offs. Harper, Understanding Privacy, 5.
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00112
Fmt 6601
Sfmt 6621
SCOM1
PsN: JACKIE
109
When it comes to privacy, however, many of them abandon this vision. For some
reason, when the topic of debate shifts from concerns about potentially objectionable
content to the free movement of personal information, personal responsibility and
self-regulation become the last option, not the first. What is most troubling about
this is that those advocates could be unwittingly undermining the power of the less
restrictive means test more generally, which is a vitally important barrier to greatly enhanced government control of cyberspace. That is, when privacy advocates ignore, downplay, or denigrate user empowerment tools, they are essentially saying
self-help is the right answer in one context, but not the other.
That is a shame because, as discussed below, self-help tool work well in both contexts. And the same arguments used against private parental empowerment technologies are often trotted out in opposition to privacy controls. Can privacy tools be
confusing at times or difficult to set up? Yes, they can, but no more so that parental
control tools. Are privacy tools as effective as parental control tools? In some ways
privacy tools are actually more effective because in the case of parental controls, the
person you are attempting to protect (namely, kids) often have a stronger incentive to evade/defeat those tools. Moreover, privacy-enhancing controls can be very
effectiveperhaps even too effectiveat shutting down unwanted information flows.
Whether it is ad-blocking tools, cookie controls, or encryption techniques, these tools
can actually be far more effective blocks on information flows than, say, Internet
filters meant to block porn or hate speech, which is also more subjective by nature.
Of course, no technological empowerment tool or solution is perfect. But as the
Supreme Court held in United States v. Playboy, empowerment tools need not be
perfect to be preferable to government regulation. Government cannot ban speech
if targeted blocking is a feasible and effective means of furthering its compelling interests, the Court held.66 Moreover, It is no response that voluntary blocking requires a consumer to take action, or may be inconvenient, or may not go perfectly
every time. A court should not assume a plausible, less restrictive alternative would
be ineffective; and a court should not presume parents, given full information, will
fail to act. 67
Again, the exact same principle should hold for privacy regulation 68 Why not expect those especially privacy-sensitive users who object to targeted online advertising to do something about it? To the extent effective self-help privacy tools exist,
they provide a means of solving policy problems that is not only less restrictive
than government regulation but generally more effective and customizable as well.
Why settle for one-size-fits-all solutions of incomplete effectiveness when users can
quite easily and effectively manage their own privacy? Indeed, those who advocate
personal responsibility and industry self-regulatory approaches to free speech and
child protection issues should be advancing the same position with regards to privacy.
66 United
States v. Playboy Entertainment Group, 529 U.S. 803, 815 (2000).

824.
University Law Professor Tom Bell has argued the same principle should hold
in both contexts. Tom W. Bell, Internet Privacy and Self-Regulation: Lessons from the Porn
Wars, Briefing Paper 65 (Washington, D.C.: Cato Institute, August 9, 2001), http://
www.cato.org/publdisplay.php?publid=1504.
67 Ibid.,
68 Chapman
VerDate Nov 24 2008
06:38 Mar 19, 2012
Jkt 073308
PO 00000
Frm 00113
Fmt 6601
Sfmt 6611
SCOM1
PsN: JACKIE

Senate Hearing, 112TH Congress - The State of Online Consumer Privacy

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Senate Hearing, 112TH Congress - The State of Online Consumer Privacy

Încărcat de

Drepturi de autor:

Formate disponibile

S. HRG.

THE STATE OF ONLINE CONSUMER PRIVACY

MARCH 16, 2011

U.S. GOVERNMENT PRINTING OFFICE

For sale by the Superintendent of Documents, U.S. Government Printing Office

VerDate Nov 24 2008

06:38 Mar 19, 2012

SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

VerDate Nov 24 2008

06:38 Mar 19, 2012

Hearing held on March 16, 2011 ............................................................................

VerDate Nov 24 2008

06:38 Mar 19, 2012

VerDate Nov 24 2008

06:38 Mar 19, 2012

THE STATE OF ONLINE CONSUMER PRIVACY

OPENING STATEMENT OF HON. MARK PRYOR,

Senator PRYOR [presiding]. I will go ahead and call this to order.

VerDate Nov 24 2008

06:38 Mar 19, 2012

HON. MARK PRYOR, U.S. SENATOR

VerDate Nov 24 2008

06:38 Mar 19, 2012

STATEMENT OF HON. JOHN F. KERRY,

Senator KERRY. Thank you, Mr. Chairman. I would like to just

VerDate Nov 24 2008

06:38 Mar 19, 2012

VerDate Nov 24 2008

06:38 Mar 19, 2012

VerDate Nov 24 2008

06:38 Mar 19, 2012

Senator ISAKSON. Thank you, Mr. Chairman. Ill be brief but I

Mr. LEIBOWITZ. Thank you, Chairman Pryor. And Senator Kerry,

VerDate Nov 24 2008

06:38 Mar 19, 2012

VerDate Nov 24 2008

06:38 Mar 19, 2012

VerDate Nov 24 2008

06:38 Mar 19, 2012

FEDERAL TRADE COMMISSION

VerDate Nov 24 2008

06:38 Mar 19, 2012

VerDate Nov 24 2008

06:38 Mar 19, 2012

VerDate Nov 24 2008

06:38 Mar 19, 2012

VerDate Nov 24 2008

06:38 Mar 19, 2012

VerDate Nov 24 2008

06:38 Mar 19, 2012

VerDate Nov 24 2008

06:38 Mar 19, 2012

Senator PRYOR. Mr. Strickling?

VerDate Nov 24 2008

06:38 Mar 19, 2012

Mr. STRICKLING. Thank you, Chairman Pryor, Senators Kerry

VerDate Nov 24 2008

06:38 Mar 19, 2012

VerDate Nov 24 2008

06:38 Mar 19, 2012

VerDate Nov 24 2008

06:38 Mar 19, 2012

VerDate Nov 24 2008